Federal Housing Finance Agency Print

 Advisory Bulletins

 

 

AB 2023-05: Enterprise Fair Lending and Fair Housing Rating System41332Fannie Mae & Freddie Mac9/27/2023 4:00:00 AMAB 2023-05<table width="100%" class="ms-rteTable-default" cellspacing="0" style="margin&#58;0px;padding&#58;0px;line-height&#58;inherit;font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;vertical-align&#58;baseline;table-layout&#58;fixed;border-spacing&#58;0px;font-stretch&#58;inherit;background-color&#58;#ffffff;"><tbody style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><tr style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><td class="ms-rteTable-default" style="font&#58;inherit;margin&#58;0px;width&#58;776px;"><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ADVISORY BULLETIN​</span></p><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">AB 2023-05&#58;&#160; Enterprise Fair Lending and Fair Housing Rating System​</span></p><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;"><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2023-05_Enterprise-Fair-Lending-and-Fair-Housing-Rating-System.pdf">[view&#160;PDF of Advisory&#160;Bulletin 2023-05]</a>&#160; &#160;</span>​<br></p></td></tr></tbody></table> ​ <h1 style="padding-top&#58;0px;"> <span style="text-decoration&#58;underline;"><em><strong>Purpose</strong></em></span></h1><p>This <em>Advisory Bulletin</em> communicates the rating system to be used when assessing the Enterprises for fair lending, fair housing, and equitable housing compliance.<br></p><h1> <span style="text-decoration&#58;underline;"><em><strong>Background</strong></em></span></h1><p style="padding-top&#58;8px !important;"> This Enterprise Fair Lending and Fair Housing Rating System is a risk-focused rating system under which each Enterprise is assigned a composite rating based on an evaluation of its fair lending compliance practices and outcomes. The rating system is a framework for annually assessing an Enterprise’s compliance with fair lending and fair housing standards and furtherance of equity in the public interest. Specifically, the composite rating of an Enterprise is based on an evaluation and rating of four components&#58; Enterprise Operations and Efficacy, Fair Lending Oversight Program, Supervision Process and Legal Compliance, and Equitable Housing Finance. FHFA considers ensuring Enterprise compliance with fair lending laws part of FHFA’s obligation to affirmatively further the purposes of the Fair Housing Act in its program of regulatory and supervisory oversight over the Enterprises and its responsibility to ensure the Enterprises comply with all applicable laws.<a href="#Ftn1" class="super-script">1</a> Aspects of this rating system also relate to FHFA’s responsibility to ensure the Enterprises operate consistent with the public interest, in addition to other authorities.<a href="#Ftn2" class="super-script">2</a> FHFA’s fair lending policy statement generally articulates its policy on fair lending and how it uses its authorities to ensure compliance with fair lending laws.<a href="#Ftn3" class="super-script">3​</a> FHFA has issued supervisory guidance to the Enterprises concerning compliance with fair lending and fair housing laws.<a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Ftn4" class="super-script">4</a></p><h1> <span style="text-decoration&#58;underline;"><em><strong>Guidance</strong></em></span></h1><p style="padding-left&#58;40px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;color&#58;#276598 !important;">I. Effective Date and Phased Implementation</p><p style="padding-top&#58;8px !important;">FHFA will issue the first ratings pursuant to this system in 2024 based on calendar year 2023. These ratings will provide notice to the Enterprises of the current status of their fair lending compliance management and form the basis of any identification of areas for improvement. When applicable, FHFA can assess ratings-based remedial supervisory measures beginning with calendar year 2024 ratings issued in calendar year 2025.</p><p style="padding-left&#58;40px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;color&#58;#276598 !important;">II. Remedial Supervisory Measures</p><p style="padding-top&#58;8px !important;">Remedial supervisory measures may include a diagnostic review, improvement action plan, or remediation plan in response where a composite rating warrants improvement. When an Enterprise is under conservatorship, composite ratings may be considered as part of FHFA’s executive compensation decisions through the FHFA Scorecard. Composite ratings may also impact consideration by FHFA of an informal or formal enforcement action related to fair lending.<a href="#Ftn5" class="super-script">5</a></p><p style="padding-left&#58;40px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;color&#58;#276598 !important;">​III. Scope</p><p style="padding-top&#58;8px !important;">The Enterprises will be rated according to four factors&#58; (i) Enterprise Operations and Efficacy, which measures contributions and dedication to fair lending compliance by Enterprise business units and sufficiency of Board and management oversight; (ii) Fair Lending Oversight Program, which measures performance of the Enterprise’s fair lending oversight program; (iii) Supervision Process and Legal Compliance, which measures the duration and severity of Matters Requiring Attention (MRAs), violations, and any other adverse findings as well as conduct and cooperation during supervision activities; and (iv) Equitable Housing Finance, which measures the performance of each Enterprise under its Equitable Housing Finance Plan activities.</p><p style="padding-top&#58;8px !important;">In evaluating compliance, the ratings generally incorporate but are not limited to&#58; FHFA Scorecard activities related to fair lending and equity; fair lending supervisory examinations; reports provided pursuant to FHFA Orders on Fair Lending Compliance and Report Submission;<a href="#Ftn6" class="super-script">6​</a> compliance with fair lending and fair housing laws; compliance with FHFA regulations pertaining to fair lending or fair housing; fair housing examinations or engagements with HUD; Equitable Housing Finance Plans; fair lending issues related to conservatorship policy submissions; and, related activities, meetings, and other communications with FHFA.</p><p style="padding-left&#58;40px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;color&#58;#276598 !important;">​IV. Summary of Rating Scale<br></p><p style="padding-top&#58;8px !important;">Under the rating system, each Enterprise is assigned a composite rating from “1” to “5.” A “1” rating indicates the lowest degree of supervisory concern, while a “5” rating indicates the highest level of supervisory concern. The composite rating of each Enterprise reflects the ratings of the underlying components, which are also rated on a scale of “1” to “5.” The composite rating is not an arithmetical average of the component ratings. Instead, the relative importance of each component is determined on a case-by-case basis, within the parameters established by this rating system. The evaluative factors listed under each component are not exhaustive and do not indicate level of importance.​<br></p> ​ <table class="AB-Table"><tbody><tr><th style="width&#58;8% !important;">Rating​<br></th><th style="width&#58;23% !important;">Enterprise Operations and Efficacy</th><th style="width&#58;23% !important;">Fair Lending Oversight Program</th><th style="width&#58;23% !important;">Supervision Process and Legal Compliance<a href="#Ftn7" class="super-script">7</a></th><th style="width&#58;23% !important;">​​Equitable Housing Finance</th></tr><tr><td style="text-align&#58;center !important;">​1</td><td><ul class="FHFA-List"><li>Al​l business units prioritize fair lending risk mitigation, adoption of controls and less discriminatory alternatives, and collaboration with fair lending oversight program to ensure risks are mitigated and violations do not occur</li><li>Fair lending, prioritized across the Enterprise</li><li>Board and management are engaged in and proactive about fair lending risk mitigation</li><li>All business units regularly and thoroughly review all policies for fair lending risk</li><li>Positive trends or meaningful efforts in key disparity metrics</li></ul></td><td><ul class="FHFA-List"><li>Enterprise business units regularly receive fair lending compliance training</li><li>Strong monitoring of all consumer-impact underwriting, pricing, and automated valuation models and policies</li><li>High fair lending risk activities limited and subject to heightened review</li><li>Goals and outcomes of compliance measures exceed minimum legal standards</li><li>Quality of fair lending analysis conducted is strong</li></ul></td><td><ul class="FHFA-List"><li>No violations of fair lending law identified in rating year and any minimal MRAs are Deficiencies</li><li>​​Enterprise works diligently and efficiently to resolve outstanding MRAs and conduct any remedial activities</li><li>Enterprise is cooperative and candid as part of oversight</li></ul></td><td><ul class="FHFA-List"><li>Equity prioritized across the Enterprise including actions building upon current and prior Equitable Housing Finance Plans (EHFPs)</li><li>Enterprise sets ambitious and impactful goals as part of EHFP and pursues changes mid-cycle to further improve equity</li><li>Enterprise works diligently towards goals as part of EHFP and any goal unmet has strong justifications</li><li>EHFP reflects strong, respectful engagement with individual and community stakeholders and responsiveness to outside feedback</li><li>EHFP objectives and actions are innovative, designed to catalyze meaningful impact, and clearly relate to identified barriers​<br></li></ul></td></tr><tr><td style="text-align&#58;center !important;">​2</td><td><ul class="FHFA-List"><li>All business units generally consider less discriminatory alternatives, controls, and collaboration with fair lending oversight program to mitigate risks</li><li>Policies generally reviewed for fair lending risk before adoption</li><li>Board and management engaged in fair lending risk mitigation efforts</li><li>Most key disparity metrics show positive trends, strong justification for negative trends</li></ul></td><td><ul class="FHFA-List"><li>Alternatives/ guardrails appropriately applied for high-risk activities</li><li>Satisfactory monitoring of key underwriting, pricing, and automated valuation models and policies</li><li>Goals and outcomes of compliance measures generally exceed minimum legal standards</li><li>All business units generally receive regular fair lending compliance training</li><li>Fair lending analysis is meaningful</li></ul></td><td><ul class="FHFA-List"><li>Most, if not all, risks managed such that violations of fair lending law or any fair lending MRA-Deficiency findings are isolated<a href="#Ftn8" class="super-script">8</a></li><li>Enterprise’s efforts to resolve outstanding violations or MRAs and conduct any remedial activities are significant</li><li>Enterprise is generally candid and cooperative in oversight</li></ul></td><td><ul class="FHFA-List"><li>Enterprise pursues current EHFP while continuing to build upon prior EHFPs</li><li>Enterprise sets difficult, meaningful goals and sometimes considers mid-cycle changes to improve efficacy</li><li>Enterprise makes good faith effort to meet EHFP goals and/or most goals unmet have strong justifications</li><li>EHFP reflects extensive engagement with and responsiveness to individual and community stakeholders</li><li>Nearly all EHFP objectives and actions are meaningful and logically relate to identified barriers and are linked to specific measurable goals</li></ul>​</td></tr><tr><td style="text-align&#58;center !important;">3</td><td><ul class="FHFA-List"><li>Business unit policies sometimes reviewed for fair lending risk before adoption and while active</li><li>Business units may sometimes consider less discriminatory alternatives, controls, and collaboration with fair lending oversight program and are at least sometimes ineffective in mitigating fair lending risk</li><li>Board and management engagement with fair lending risk mitigation efforts needs improvement</li><li>Key disparity metrics show at least some negative trends, strong justification for most negative trends</li></ul></td><td><ul class="FHFA-List"><li>High-risk activities not always adequately limited by controls</li><li>Ongoing monitoring of key underwriting, pricing, and automated valuation models and policies may not be comprehensive</li><li>Goals and outcomes of compliance system may seek to exceed minimum legal standards but do not always do so</li><li>Not all business units receive regular fair lending training</li><li>Quality of fair lending analysis needs improvement</li></ul></td><td><ul class="FHFA-List"><li>Violations and/or MRAs have been identified<a href="#Ftn9" class="super-script">9</a></li><li>Enterprise’s efforts to resolve outstanding violations or MRAs and conduct any remedial activities need improvement</li><li>Enterprise is sometimes candid and cooperative in oversight</li></ul></td><td><ul class="FHFA-List"><li>Equity efforts limited to current EHFP</li><li>Enterprise sets moderately difficult and/or impactful goals</li><li>Efforts to meet EHFP need improvement and/or justifications for not meeting goals are weak</li><li>EHFP reflects stakeholder feedback from a range of stakeholders, and evidence of contribution exists in the plan</li><li>Enterprise does not generally consider changes for efficacy and improvement mid-cycle</li><li>Some EHFP objectives and goals logically relate to identified barriers for underserved communities​​<br></li></ul></td></tr><tr><td style="text-align&#58;center !important;">4</td><td><ul class="FHFA-List"><li>At least some business units do not generally consider less discriminatory alternatives or controls or collaborate with fair lending oversight program</li><li>Business unit policies frequently not reviewed for fair lending risk before adoption</li><li>Board and management engagement in fair lending risk mitigation efforts is deficient</li><li>Negative trends in many key disparity metrics, justification for negative trends weak</li></ul></td><td><ul class="FHFA-List"><li>Many high-risk activities allow for discretion without appropriate guardrails</li><li>Inconsistent and deficient ongoing monitoring of key underwriting, pricing, and automated valuation models and policies</li><li>Goals and objectives of compliance system do not seek to exceed minimum legal standards and/or do not meet minimum legal standards</li><li>Most business units receive inconsistent or inadequate fair lending training</li><li>Quality of fair lending analysis deficient</li></ul></td><td><ul class="FHFA-List"><li>MRAs, individual and/or systemic violations are identified in the subject year</li><li>Enterprise’s efforts to resolve outstanding violations or MRAs and conduct any remedial activities are deficient</li><li>Enterprise generally lacks candor and cooperation in oversight</li></ul></td><td><ul class="FHFA-List"><li>Enterprise’s commitment to equity deficient</li><li>Enterprise sets goals that are unambitious and/or with minor impact</li><li>Efforts to meet EHFP goals deficient and/or justifications underlying unmet goals generally weak</li><li>EHFP reflects some stakeholder engagement but not from a diverse range or minimal integration of feedback into the plan</li><li>Few EHFP objectives and actions logically relate to identified barriers for underserved communities</li></ul></td></tr><tr><td style="text-align&#58;center !important;">​5</td><td><ul class="FHFA-List"><li>One or more business units’ consideration of less discriminatory alternatives or controls and collaboration with fair lending compliance program is critically deficient or nonexistent</li><li>Most, if not all, key disparity metrics show negative trends, and/or justification for negative trends weak or non-existent</li><li>Board and management unengaged in fair lending oversight program or actively obstructionist</li><li>At least some business units routinely fail to review policies for fair lending risk</li></ul></td><td><ul class="FHFA-List"><li>Minimal/no controls imposed for high-risk activities</li><li>Minimal/no ongoing monitoring of key underwriting, pricing, and automated valuation models and policies</li><li>Goals and objectives of compliance program critically deficient and Enterprise does not meet minimum legal standards</li><li>Most business units do not receive fair lending training, or the training provided is deficient</li><li>Quality of fair lending analysis critically deficient</li></ul></td><td><ul class="FHFA-List"><li>Individual and/or systemic violations and MRAs identified in the subject year</li><li>Enterprise’s efforts to resolve outstanding violations or MRAs and conduct any remedial activities critically deficient</li><li>Enterprise is dishonest and/or uncooperative in oversight</li></ul>​<br></td><td><ul class="FHFA-List"><li>No articulated commitment to equity</li><li>EHFP goals easy to achieve and/or with minimal impact</li><li>Efforts to meet EHFP goals critically deficient and/or justifications underlying unmet goals deficient or nonexistent</li><li>EHFP objectives and actions do not logically relate tobarriers and/or actions for an underserved community</li><li>Enterprise generally only engages with stakeholders with whom it has pre-existing relationships and/or is unresponsive to feedback​<br></li></ul></td></tr></tbody></table><p style="padding-left&#58;40px !important;padding-top&#58;24px !important;font-size&#58;1.08em !important;color&#58;#276598 !important;">​V. Composite Ratings</p><p style="padding-top&#58;8px !important;">Composite ratings are based on a careful evaluation of an Enterprise’s fair lending compliance practices and furtherance of equity goals, including the Enterprise’s operations and efficacy, fair lending oversight program, supervision process and legal compliance, and equitable housing finance activities.</p><p style="padding-top&#58;8px !important;">Composite 1 – The Enterprise’s demonstrated commitment to fair lending compliance, risk prevention, and equity and its fair lending oversight program is strong in every respect and typically, each component is rated “1” or “2.” The Enterprise as a whole is candid, proactive, and cooperative with regulators about any issues and the Enterprise is in substantial compliance with the law and with supervisory standards.</p><p style="padding-top&#58;8px !important;">Composite 2 – The Enterprise’s dedication to fair lending compliance, risk prevention, and equity and its fair lending oversight program is generally strong and most components are rated “1” or “2,” with no component rated more severely than a “3.” The Enterprise is in significant compliance with the law and with supervisory standards, and engagement with regulators regarding fair lending issues is satisfactory.</p><p style="padding-top&#58;8px !important;">Composite 3 – The Enterprise’s dedication to fair lending compliance, risk prevention, and equity and its fair lending oversight program needs improvement. Most components are rated “3” or better, with no component rated more severely than a “4.” The Enterprise may be in non-compliance with one or more legal requirements or supervisory standards and its engagement with regulators regarding fair lending issues and/or equity goals needs improvement.</p><p style="padding-top&#58;8px !important;">Composite 4 – The Enterprise’s dedication to fair lending compliance, risk prevention, and equity and its fair lending oversight program is weak and deficient. The Enterprise is in non-compliance with the law or supervisory standards.</p><p style="padding-top&#58;8px !important;">Composite 5 – The Enterprise’s dedication to fair lending compliance, risk prevention, and equity and its fair lending oversight program is critically deficient or nonexistent. The Enterprise is in substantial non-compliance with the law or supervisory standards and equity goals and requirements.</p><p style="padding-left&#58;40px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;color&#58;#276598 !important;">​VI. Component Ratings</p><p style="padding-left&#58;20px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;font-style&#58;italic !important;color&#58;#276598 !important;">A. Enterprise Operations and Efficacy</p><p style="padding-top&#58;8px !important;">When rating an Enterprise’s operations and efficacy, FHFA reviews the Enterprise’s business units to determine whether they are adequately contributing to the identification of risk and compliance with fair lending laws. FHFA also reviews any information supporting conclusions regarding Board and management commitment and engagement with respect to fair lending compliance and equity goals. When making this determination, FHFA may assess&#58;</p><ul class="FHFA-LowerAlpha-List"><li>Do programs and activities have clear, legitimate, and nondiscriminatory business justifications?</li><li>Are clear, written, documented policies and procedures in place whenever appropriate?</li><li>Do business units cooperate with internal fair lending program personnel to ensure that fair lending risk is identified and mitigated prior to the development of MRAs or violations?</li><li>Does the Enterprise ensure that any discretionary decision-making in policies, procedures, programs, and activities is limited to situations where there is a clear, legitimate, nondiscriminatory business justification for such discretion?</li><li>If a disparate impact is foreseeable or identified, does the Enterprise search for less discriminatory alternative means to achieve the business purpose?</li><li>If ​fair lending risk is foreseeable or identified, does the Enterprise consider altering the program or introducing appropriate controls to mitigate that risk?</li><li>After implementation, are policies, procedures, programs, and activities appropriately analyzed, monitored, and/or reviewed on a regular schedule, with high fair lending risk activities screened more frequently?<a href="#Ftn10" class="super-script">10</a></li><li>Is fair lending compliance reinforced as a priority across the entire Enterprise, including by the Board of Directors, senior management, and business unit officials?</li><li>Do business units analyze, assess, and mitigate fair lending risk in third- and fourth-party interactions?</li><li>Does the Enterprise make meaningful efforts and/or consistent progress to improve existing accept rate gaps and similar disparities in outcomes presented by the Automated Underwriting System and related credit policies?</li><li>Are trends for key disparity metrics like accept rate gaps, pricing disparities, and acquisitions improving?<a href="#Ftn11" class="super-script">11​</a></li></ul><p style="padding-left&#58;42px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;color&#58;#276598 !important;">Enterprise Operations and Efficacy Ratings​</p><ol class="FHFA-NumList"><li>A rating of 1 indicates&#58; Business units prioritize risk mitigation, adoption of controls and less discriminatory alternatives in evaluating new and revised policies, procedures, programs, and activities. Fair lending is prioritized across the Enterprise and business units collaborate with internal fair lending oversight and legal programs. The Board and management are meaningfully engaged in and proactive about fair lending risk mitigation. Business units regularly and thoroughly review all policies for fair lending risk at intervals commensurate with potential risk according to a comprehensive fair lending risk assessment process. Discretionary decision-making is substantially limited wherever possible, and regularly monitored for development of risk. The Enterprise’s key disparity metrics show positive trends or meaningful efforts to improve metrics.​</li><li>A rating of 2 indicates&#58; Business units generally consider risk mitigation, adoption of controls, and less discriminatory alternatives in evaluating new and revised policies, procedures, programs, and activities. Policies are generally reviewed for fair lending risk according to a comprehensive fair lending risk assessment process and business units generally collaborate with the fair lending oversight program to mitigate risks. The Board and management are engaged in fair lending risk mitigation efforts. Most of the Enterprise’s key disparity metrics show positive trends or meaningful efforts to improve and there is strong business justification for negative trends.</li><li>A rating of 3 indicates&#58; Business units sometimes consider risk mitigation, adoption of controls and less discriminatory alternatives in evaluating new and revised policies, procedures, programs, and activities and are at least sometimes ineffective in mitigating risk. Policies are sometimes reviewed for fair lending risk according to a comprehensive fair lending risk assessment process but the schedule of reviews and consistency in reviewing needs improvement. Business units do not always collaborate with the fair lending oversight program. The Board and management’s engagement with fair lending risk mitigation efforts need improvement. The Enterprise’s key disparity metrics show at least some negative trends for which there are usually strong business justification or efforts to improve key metrics need improvement.</li><li>A rating of 4 indicates&#58; At least some business units do not generally consider non-discriminatory alternatives or controls and risk mitigation and frequently do not review new or revised policies, procedures, programs, and activities for fair lending risk prior to adoption. At least some business units’ collaboration with the fair lending oversight program is deficient. The Board and management’s engagement with fair lending risk mitigation efforts is deficient. Many of the Enterprise’s key disparity metrics show negative trends and there is weak justification for some negative trends and/or efforts to improve key metrics are deficient.</li><li>A rating of 5 indicates&#58; One or more business units’ consideration of non-discriminatory alternatives or controls and collaboration with fair lending oversight program is critically deficient or non-existent. Business unit employees do not surface fair lending violations or fair lending concerns even if fully trained on fair lending. The Board and/or management are unengaged on fair lending risk mitigation efforts, their engagement is critically deficient, or they actively obstruct mitigation efforts. Most, if not all, of the Enterprise’s key disparity metrics show negative trends and there is weak or non-existent justification for some negative trends and/or efforts to improve key metrics are minimal or critically deficient.​<br></li></ol><p style="padding-left&#58;20px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;font-style&#58;italic !important;color&#58;#276598 !important;">B. Fair Lending Oversight Program</p><p style="padding-top&#58;8px !important;">When rating an Enterprise’s fair lending oversight program, FHFA determines whether the Enterprise’s program strives to exceed minimum legal standards, conducts effective monitoring of high-risk activities, and performs robust fair lending analysis. When making this determination, FHFA may assess&#58;</p><ul class="FHFA-LowerAlpha-List"><li>Is there a fair lending oversight program in place, and if so, how is the program structured?</li><li>Does the program incorporate appropriate controls, monitoring, and training components?</li><li>Are there sufficient resources and personnel dedicated to fair lending oversight to effectively identify fair lending risks and prevent fair lending violations, including a sufficient number of trained and committed fair lending professionals across disciplines and lines of defense?</li><li>Are consumer-impact models, including underwriting, pricing, and automated valuation models and collateral risk tools, regularly monitored for disparities and less discriminatory alternatives?</li><li>Are Enterprise employees throughout the organization sufficiently trained commensurate with their job responsibilities in fair lending compliance to identify potential fair lending risk and raise potential fair lending concerns to the appropriate officials?</li><li>Does the program incorporate both qualitative and quantitative fair lending analysis of policies, procedures, processes, and activities?</li><li>Does the program produce comprehensive fair lending analysis appropriately tailored to the risk presented?</li><li>Does the program conduct heightened, ongoing fair lending monitoring for policies, procedures, programs, and activities that involve discretionary decision-making, including having a process for identifying such policies, procedures, programs, and activities?</li><li>Does the program regularly conduct comprehensive and independent fair lending compliance reviews of business units and business activities presenting heightened fair lending risk?</li><li>Does the program aim to exceed minimum legal standards, meaning, does it seek to prioritize equity and implement fair lending best practices including mitigating fair lending risk and disparities in areas of legal uncertainty?<a href="#Ftn12" class="super-script">12</a>​​​ Does it in fact exceed minimum legal standards?</li></ul><p style="padding-left&#58;42px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;color&#58;#276598 !important;">Fair Lending Oversight Program Ratings</p><ol class="FHFA-NumList"><li>A rating of 1 indicates&#58; The work of designated fair lending officials and the function of the fair lending oversight program are strong. Enterprise business units regularly receive comprehensive, updated, relevant, and evidence-based fair lending compliance training. The Enterprise conducts strong ongoing monitoring of all consumer-impact underwriting, pricing, and automated valuation models and policies and other high-risk activities are limited and subject to heightened reviews. Fair lending analysis conducted by the program and fair lending officials is strong. The Enterprise strives to exceed minimum legal standards when setting goals and achieving outcomes, and in fact does exceed them. Compliance management practices are strong, including regular, frequent reviews of activities tailored to the risk presented; effective controls; and quantitative and qualitative monitoring with mechanisms to address issues identified.</li><li>A rating of 2 indicates&#58; The work of designated fair lending officials and the function of the fair lending oversight program are satisfactory. Enterprise business units regularly receive relevant fair lending compliance training. The Enterprise conducts satisfactory ongoing monitoring of key consumer-impact underwriting, pricing, and automated valuation models and collateral risk tools and policies, and other high-risk activities are appropriately limited and generally subject to heightened reviews. Fair lending analysis conducted by the program and fair lending officials is meaningful. The Enterprise strives to exceed minimum legal standards when setting goals and achieving outcomes and does generally exceed them. Compliance management practices are satisfactory, including generally consistent reviews of activities; controls placed on appropriate programs and activities; evidence-based monitoring generally conducted; and issues are generally able to be addressed.</li><li>A rating of 3 indicates&#58; The work of designated fair lending officials and/or the function of the fair lending oversight program need improvement. Not all business units receive regular fair lending compliance training and/or fair lending compliance training may at times be inadequate to address the risk presented. The Enterprise conducts ongoing monitoring of key consumer-impact underwriting, pricing, and automated valuation models and collateral risk tools and policies but it may not be comprehensive, sufficiently frequent, and/or evidence-based. Fair lending analysis conducted by the program and fair lending officials needs improvement. Where a policy or program is identified as presenting high fair lending risk, it may not be subject to heightened or routine review or regularly monitored commensurate with the risk presented. The quality, frequency, and/or mechanisms to address issues raised by fair lending analysis conducted by the program and fair lending officials needs improvement. The Enterprise may seek to exceed minimum legal standards when setting goals and achieving outcomes but does not always do so.</li><li>A rating of 4 indicates&#58; The work of designated fair lending officials and/or the function of the fair lending oversight program is deficient. Business units receive inconsistent or inadequate fair lending training. The Enterprise may fail to conduct regular, ongoing monitoring of consumer-impact underwriting, pricing, and automated valuation models and collateral risk tools and policies, or such ongoing monitoring may be deficient to mitigate the risk presented. The quality of fair lending analysis conducted is deficient. Many high-risk activities allow for discretion without appropriate controls or risk mitigation guardrails. Compliance goals and objectives are designed to only meet minimum legal standards and the Enterprise frequently fails to meet those goals.</li><li>A rating of 5 indicates&#58; The work of designated fair lending officials and/or the function of the fair lending oversight program is critically deficient. Business units do not receive fair lending training, or the training is critically deficient. The Enterprise may fail to conduct ongoing monitoring of consumer-impact underwriting, pricing, and automated valuation models and collateral risk tools and policies entirely, or such ongoing monitoring is minimal. The quality of fair lending analysis is critically deficient. There are no or minimal controls or risk mitigation guardrails for high-risk activities and those that allow for discretion. Compliance goals and objectives are critically deficient, and the Enterprise frequently fails to meet minimum legal standards.​<br></li></ol><p style="padding-left&#58;20px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;font-style&#58;italic !important;color&#58;#276598 !important;">C. Supervision Process and Legal Compliance</p><p style="padding-top&#58;9px !important;">When rating an Enterprise’s supervision process and legal compliance, FHFA determines whether any new adverse findings were made during the rating year and the severity of those findings, as well as an Enterprise’s efforts to resolve outstanding adverse findings. FHFA similarly considers any relevant regulatory or enforcement actions that are initiated, pending, finalized, and undergoing remediation during the rating year. When making this determination, FHFA may assess&#58;</p><ul class="FHFA-LowerAlpha-List"><li>Were MRAs or violations identified during the rating year?</li><li>If MRA(s) were identified, what is the severity of the MRA(s)?</li><li>If there were violations, were they individual or systemic?</li><li>Were any other regulatory or enforcement actions initiated, pending, finalized, and/or undergoing remediation during the rating year?</li><li>Did the compliance oversight program identify any fair lending risks that the Enterprise failed to correct or sufficiently mitigate?</li><li>If so, what was the duration of the risky activity or violation?</li><li>If a violation exists, is the evidence overt, comparative, or related to disparate impact?</li><li>If comparative or overt evidence, is it due to unnecessarily discretion-oriented policies or a lack of appropriate oversight?</li><li>Is the Enterprise working diligently and efficiently to resolve outstanding adverse findings, including by submitting remediation activities in a complete and timely manner?<a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Ftn13" class="super-script">13</a></li><li>Is the Enterprise cooperative and candid throughout oversight activities, including when sharing information?</li></ul><p style="padding-left&#58;42px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;color&#58;#276598 !important;">Supervision Process and Legal Compliance Ratings</p><ol class="FHFA-NumList"><li>A rating of 1 indicates&#58; No violations of fair lending law are identified in the rating year and any minimal MRAs are Deficiencies. If applicable, the Enterprise works diligently and efficiently to resolve outstanding MRAs, violations, and other adverse findings including by proposing and executing comprehensive remediation plans and submitting complete remediation activities in a timely manner. The Enterprise is cooperative and candid about new or outstanding issues when engaging with regulators in oversight and examination activities.</li><li>A rating of 2 indicates&#58; Most, if not all, fair lending risks identified and managed so that adverse findings, including violations of fair lending law or MRAs do not develop; those that do occur are isolated. If applicable, the Enterprise’s efforts to resolve outstanding MRAs, violations, and other adverse findings are significant including by submitting complete remediation activities in a timely manner. The Enterprise is generally cooperative and candid about new or outstanding issues when engaging with regulators in oversight and examination activities.</li><li>A rating of 3 indicates&#58; Violations of fair lending law and/or MRAs are identified during the rating year. If applicable, the Enterprise’s efforts to resolve outstanding MRAs, violations, and other adverse findings need improvement including by submitting complete remediation activities in a timely manner. The Enterprise is sometimes cooperative and candid about new or outstanding issues when engaging with regulators in oversight and examination activities.</li><li>A rating of 4 indicates&#58; Violations of fair lending law and/or MRAs are identified during the rating year. Adverse findings may include widespread individual violations of fair lending law or systemic violations. If applicable, the Enterprise’s efforts to resolve outstanding MRAs, violations, and other adverse findings are deficient. The Enterprise generally lacks cooperation and candor when engaging with regulators in oversight about new or outstanding issues and examination activities.</li><li>A rating of 5 indicates&#58; Violations of fair lending law and/or MRAs are identified during the rating year. Adverse findings may include widespread individual violations of fair lending law or systemic violations and MRAs are generally serious. If applicable, the Enterprise’s efforts to resolve outstanding MRAs, violations, and other adverse findings are critically deficient or nonexistent. The Enterprise is dishonest and/or uncooperative when engaging with regulators in oversight about new or outstanding issues and examination activities.​<br></li></ol><p style="padding-left&#58;20px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;font-style&#58;italic !important;color&#58;#276598 !important;">D. Equitable Housing Finance</p><p style="padding-top&#58;9px !important;">When rating an Enterprise on equitable housing finance, FHFA evaluates an Enterprise’s planning and execution of its Equitable Housing Finance Plan (“EHFP”). FHFA also considers objective metrics and analytics as part of its evaluation. When making this determination, FHFA may assess&#58;</p><ul class="FHFA-LowerAlpha-List"><li>Is equity prioritized across the Enterprise?</li><li>Does the Enterprise set ambitious and impactful goals as part of the EHFP?</li><li>Does the Enterprise pursue changes to its EHFP midcycle to further improve equity in accordance with the framework for EHFP updates?</li><li>Does the Enterprise build upon current and prior EHFPs' goals and objectives in pursuing equity?</li><li>Does the Enterprise work diligently towards the goals it sets in the current EHFP?</li><li>Does the Enterprise in fact meet goals set in its EHFP, and if not, is there a strong justification for why the goal was not met?</li><li>Are EHFP objectives and actions innovative, designed to catalyze meaningful impact, and do they logically relate to identified barriers for underserved communities?</li><li>Are EHFP objectives and actions clearly linked to specific measurable goals?</li><li>Does the EHFP reflect engagement with and responsiveness to a wide variety of individual and community stakeholders, including stakeholders with whom the Enterprise does not have a prior relationship?</li><li>Does the Enterprise use innovative community-based techniques when engaging with a diverse range of individual and community stakeholders?</li></ul>​ <p style="padding-left&#58;42px !important;padding-top&#58;16px !important;font-size&#58;1.08em !important;color&#58;#276598 !important;">Equitable Housing Finance Ratings</p><ol class="FHFA-NumList"><li>A rating of 1 indicates&#58; Equity is prioritized across the Enterprise, including by building upon goals and objectives specified in both the current and prior EHFPs. The Enterprise sets ambitious, impactful goals in its EHFP and pursues changes to its stated goals and objectives mid-cycle to further improve equity. The Enterprise works diligently to achieve the goals set out in the EHFP and has strong justifications for goals unmet. The EHFP reflects strong and respectful engagement with a diverse range of individual and community stakeholders using innovative community-based techniques and the EHFP is responsive to outside feedback. EHFP objectives and actions are innovative, designed to catalyze meaningful impact, and clearly related to identified barriers.</li><li>A rating of 2 indicates&#58; The Enterprise pursues equity through its current EHFP while continuing to build upon goals and objectives specified in prior EHFPs. The Enterprise sets difficult, meaningful goals in its EHFP and sometimes pursues changes to its stated goals and objectives mid-cycle to further improve equity. The Enterprise makes a good faith effort to achieve the goals set out in the EHFP and has strong justifications for most goals unmet. The EHFP reflects extensive engagement with a diverse range of individual and community stakeholders and the EHFP is generally responsive to outside feedback. Nearly all EHFP objectives and actions are meaningful and logically related to identified barriers for underserved communities and linked to specific measurable goals.</li><li>A rating of 3 indicates&#58; The Enterprise’s commitment to equity is limited to its current EHFP. The Enterprise sets moderately difficult and/or impactful goals in its EHFP and does not generally consider changes to its stated goals and objectives mid-cycle to further improve equity. The Enterprise’s efforts to achieve the goals set out in the EHFP need improvement and/or the Enterprise has weak justifications for at least some goals unmet. The EHFP reflects engagement with a range of individual and community stakeholders and the EHFP includes evidence of contribution. Most EHFP objectives and actions logically relate to identified barriers for underserved communities and are sometimes linked to specific measurable goals.</li><li>A rating of 4 indicates&#58; The Enterprise’s commitment to equity is deficient. The Enterprise sets goals that are unambitious or have minor impact in its EHFP and rarely considers changes to its stated goals and objectives mid-cycle to further improve equity. The Enterprise’s efforts to achieve the goals set out in the EHFP are deficient and/or the Enterprise generally has weak justifications for goals unmet. The EHFP reflects some engagement with stakeholders but not from a diverse range of stakeholders and feedback provided is minimally integrated into the EHFP. Few EHFP objectives and actions logically relate to identified barriers for underserved communities and are generally not linked to specific measurable goals.</li><li>A rating of 5 indicates&#58; The Enterprise has no articulated commitment to equity or its commitment is critically deficient. The Enterprise sets goals that are easy to achieve or have minimal impact in its EHFP and does not consider changes to its stated goals and objectives mid-cycle to further improve equity. The Enterprise’s efforts to achieve the goals set out in the EHFP are critically deficient and/or the Enterprise generally has weak or nonexistent justifications for goals unmet. The Enterprise generally only engages with stakeholders with whom it has a pre-existing relationship and/or is unresponsive to feedback. EHFP objectives and actions do not logically relate to identified barriers for underserved communities and are mostly not linked to specific measurable goals.</li></ol><p></p> ​<hr />​​ <p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn1" class="super-script">1</a> 12 U.S.C. 4511(b)(2), 42 U.S.C. 3608(d).</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn2" class="super-script">2</a> 12 U.S.C. 4513(b)(v).</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn3" class="super-script">3&#160;</a><a href="/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx">https&#58;//www.fhfa.gov/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx</a></p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn4" class="super-script">4&#160;</a><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB%202021-04%20Enterprise%20Fair%20Lending%20and%20Fair%20Housing%20Compliance.pdf">https&#58;//www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB%202021-04%20Enterprise%20Fair%20Lending%20and%20Fair%20Housing%20Compliance.pdf</a></p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn5" class="super-script">5</a> See <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/20130531_AB_2013-03_FHFA-Enforcement-Policy_508%20(2).pdf">https&#58;//www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/20130531_AB_2013-03_FHFA-Enforcement-Policy_508%20(2).pdf</a></p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn6" class="super-script">6</a> Order No. 2021-OR-FHLMC-2; Order No. 2021-OR-FNMA-2.</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn7" class="super-script">7</a> “Legal Compliance” includes findings related to targeted examinations and the supervision process as well as all other relevant regulatory or enforcement actions.</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn8" class="super-script">8</a> A “2” rating for Supervision Process and Legal Compliance is possible with MRA – Deficiency and individual violation of law findings during the calendar year.</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn9" class="super-script">9</a> All “3” or higher ratings for Supervision Process and Legal Compliance include at least one adverse finding during the calendar year.</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn10" class="super-script">10</a> All policies should be reviewed periodically, but not all policies must be reviewed according to the same timeframes. For example, policies that pose the greatest fair lending risk should be reviewed the most frequently, at a minimum, as they change or as enough data accumulates to reconsider effectiveness. Policies that do not pose the greatest fair lending risk may be reviewed less frequently than the first group, at a minimum, when changes to the policy are implemented to be sure that there is no new fair lending concern. Policies that do not pose significant fair lending risk may be reviewed the least frequently, at a minimum, according to a risk-focused program for regular policy review.</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn11" class="super-script">11</a> FHFA will not penalize the Enterprise for market factors outside the Enterprise’s control. FHFA will consider the Enterprise’s direct or indirect actions that contribute to disparities even when market factors are also found to contribute to disparities.</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn12" class="super-script">12</a> Minimum legal standards are defined as not violating clearly established law. The Enterprise should strive to exceed minimum legal standards by prioritizing equity and fair lending best practices because simply meeting legal standards in fair lending presents litigation, management, operational, reputational, and regulatory risks to the Enterprise, especially given the sometimes-uncertain application of standards and defenses under fair lending law.</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn13" class="super-script">13​</a> Outstanding MRAs or violations from prior rating years would not be considered a sole basis for considering a negative rating under this assessment. Inadequate or untimely remediation deliverables, lack of cooperation in remediation, or other failures during the rating year, however, will be considered, as will responsible business conduct, fulsome corrective action, and other successes in remediation activities.</p><div style="padding-top&#58;12px !important;"><div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-style&#58;normal;font-weight&#58;400;"><tbody><tr><td class="ms-rteTable-default" style="width&#58;776px;"><p>​FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes and applicable law. Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities. For comments or questions pertaining to this Advisory Bulletin, contact James Wylie at <a href="mailto&#58;James.Wylie@fhfa.gov">James.Wylie@fhfa.gov​</a> or by phone at 1-202-649-3209.​<br></p></td></tr></tbody></table> ​ ​​ ​​ ​​ <br> </div></div><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 38e820da-7fa4-43ad-a57b-337845bba1a0" id="div_38e820da-7fa4-43ad-a57b-337845bba1a0" unselectable="on"></div><div id="vid_38e820da-7fa4-43ad-a57b-337845bba1a0" unselectable="on" style="display&#58;none;"></div></div>​​​<br>​<br>9/27/2023 6:00:54 PMHome / Supervision & Regulation / Advisory Bulletins / AB 2023-05: Enterprise Fair Lending and Fair Housing Rating System Advisory Bulletin The rating system is a framework 5062https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Supplemental Guidance to Advisory Bulletin 2021-03: Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention44048Fannie Mae & Freddie Mac8/17/2023 4:00:00 AMAB 2023-04<p> <span>​​​​​<a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2023-04_Supplemental-Guidance-to-Advisory-Bulletin-2021-03.pdf">[view&#160;PDF of Advisory&#160;B​ulletin 2023-04]</a>&#160; &#160;</span>​<br></p><h1> <span> <em> <strong>Purpose</strong></em></span></h1><p>The Federal Housing Finance Agency (FHFA) is issuing this Advisory Bulletin as supplemental guidance to FHFA Advisory Bulletin 2021-03&#58; <em>Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention</em> (Advisory Bulletin 2021-03), published on August 25, 2021.<a href="#Ftn1" class="super-script">1</a> This Advisory Bulletin is intended to clarify FHFA’s existing guidance and is applicable to Fannie Mae and Freddie Mac (collectively, the Enterprises).</p><h1> <span> <em> <strong>Background</strong></em></span></h1><p>Since the publication of Advisory Bulletin 2021-03, FHFA has observed the Enterprises’ implementation of the guidance and has determined the need for additional clarification. This Advisory Bulletin elaborates on certain elements of Advisory Bulletin 2021-03 and provides clarifications related to asset classifications, Loss-classified balance calculations, and other accounting topics.​<br></p><h1> <span> <em> <strong>Guidance</strong></em></span></h1><p>This guidance is organized by illustrative questions that a reader may have when considering the guidelines set forth in Advisory Bulletin 2021-03.​<br></p> ​ <p> <strong>1.&#160;&#160;What does the term “balance” (as in an asset’s balance or a loan’s balance) mean in terms of accounting measurement basis?​</strong></p><p>Unless specified otherwise, (e.g., a requirement to classify and report assets by their unpaid principal balance), the term “balance” is defined as follows&#58; </p><ul class="FHFA-List" style="padding-bottom&#58;0px !important;margin-bottom&#58;0px !important;"><li>For financial assets such as loans, advances, or financing receivables, “balance” means the asset’s amortized cost basis regardless of whether the asset is classified as held-for-investment (HFI) or held-for-sale (HFS) or accounted for under the fair value option (FVO). Amortized cost basis is the sum of unpaid principal balance, unamortized cost basis adjustments, and accrued interest receivable (AIR). For Enterprises that elect the option provided by U.S. Generally Accepted Accounting Principles (GAAP)<a href="#Ftn2" class="super-script">2</a> ​to report and disclose AIR separately from amortized cost, amortized cost basis will include only unpaid principal balance and unamortized cost basis adjustments. Contra-accounts such as allowance for credit losses or valuation allowance are excluded from the calculation of the amortized cost basis. </li><li>For non-financial assets such as Real Estate Owned (REO), “balance” means the asset’s initial carrying amount for REO classified as HFS (the cost basis). Contra-accounts such as valuation allowance are excluded from the calculation of the HFS REO’s cost basis.</li><li style="padding-bottom&#58;0px !important;margin-bottom&#58;0px !important;">​Off-balance-sheet credit exposures refer to those that are neither unconditionally cancellable nor accounted for as derivatives or insurance contracts. For these exposures, “balance” means the Enterprise’s maximum exposure to loss without consideration of potential recoveries such as those from collateral, credit enhancements or recourse to another party. Specifically&#58; <ul class="FHFA-InnerList" style="padding-bottom&#58;0px !important;margin-bottom&#58;0px !important;"><li style="padding-top&#58;8px !important;">​For standby letters of credit, “balance” means the remaining notional amount of the standby letter of credit.</li><li>For loan purchase commitments, “balance” means the remaining notional amount of the legally binding commitments to purchase mortgage loans. </li><li style="padding-bottom&#58;0px !important;margin-bottom&#58;0px !important;">​For finan​cial guarantees, “balance” means the maximum potential future payments that a guarantor could be required to make. </li></ul> ​ </li></ul>​ <p style="margin-top&#58;0px !important;padding-top&#58;0px !important;"> <strong>2.&#160;&#160;How and when is the fair value of a single-family residential mortgage loan’s collateral determined?</strong></p><p>Collateral fair value should be determined in accordance with U.S. GAAP<a href="#Ftn3" class="super-script">3</a> using a property valuation technique that meets industry and professional standards (e.g., the Interagency Appraisal and Evaluation Guidelines), such as an appraisal or a valuation produced by automated valuation models. The valuation technique chosen should produce a reasonably reliable estimate of fair value. </p><p>Collateral fair value should be determined at a point in time that provides a reasonable basis for the classification decision. Advisory Bulletin 2021-03 provides that an assessment of current fair value should be made before a loan with a loan-to-value ratio greater than 60 percent is more than 180 days delinquent. A loan that has a loan-to-value ratio below 60 percent and is therefore exempt from adverse classification should be based on a collateral valuation that is no more than 90 days old. Subsequent valuations should be performed and documented at least quarterly until the loan is no longer classified.</p><p style="padding-top&#58;16px !important;"> <strong>3.&#160;&#160;For financial assets not classified as HFS or not accounted for under the FVO, should the expected proceeds from non-freestanding credit enhancements always be included in the calculation of the Loss-classified balance to be written off?</strong></p><p>Yes. In accordance with U.S. GAAP,<a href="#Ftn4" class="super-script">4</a> the expected proceeds from non-freestanding credit enhancements should be included in the calculation of the Loss-classified balance to be written off.</p><p>This U.S. GAAP requirement would apply to all applicable instances in which a Loss-classified balance to be written off is calculated, not just to loans with loan-to-value ratio greater than 60 percent that are more than 180 days past due.</p><p style="padding-top&#58;16px !important;"> <strong>4.&#160;&#160;When estimating the expected proceeds from non-freestanding credit enhancements in the calculation of the Loss amount, should the expected proceeds be adjusted for a current assessment of collectability? </strong></p><p>Yes. The estimation of expected proceeds from non-freestanding credit enhancements should consider any factors that may affect the credit enhancement provider’s ability to honor valid claims. If the analysis concludes that the credit enhancement provider is unlikely to meet its contractual obligations, the Enterprises should apply an appropriate adjustment to ensure only expected proceeds from non-freestanding credit enhancements are included in the calculation of the amount classified as Loss. With respect to supplemental mortgage insurance, the Enterprises should adopt a methodology to allocate a portion of the supplemental mortgage insurance to specific loans. </p><p style="padding-top&#58;16px !important;"> <strong>5.&#160;&#160;Can the calculation of an amount classified as Loss include adjustments for Credit Risk Transfer (CRT) coverage?</strong></p><p>CRTs that are accounted for as freestanding credit enhancements should be excluded from the Loss calculation. </p><p style="padding-top&#58;16px !important;"> <strong>6.&#160;&#160;Can contractual terms such as representations and warranties be considered when evaluating a loan for classification? </strong></p><p>Yes. The Enterprises may consider the extent to which contractual terms, including representations and warranties, provide protection against loss for an individual mortgage loan. The Enterprises should consider any factors that may adversely affect the enforceability of contractual terms. If the analysis concludes that the counterparty is unlikely to meet its contractual obligation, then the Enterprises should apply an appropriate adjustment to the amount classified as Loss. Notable factors to consider include the financial condition and ability or willingness of the counterparty to fulfill contractual obligations. </p><p style="padding-top&#58;16px !important;"> <strong>7.&#160;&#160;How should the Loss-classified balance be calculated (i) for assets classified as HFS, (ii) for assets that are classified as HFS or HFI but accounted for under the FVO, (iii) for AIR, or (iv) for off-balance-sheet credit exposures? </strong></p><p>For a loan or financing receivable classified as HFS, including those classified as HFS but accounted for under the FVO (HFS FVO), the Loss-classified balance is calculated as any excess of the asset’s amortized cost basis over its fair value. The Loss-classified balance should equal the balance of the valuation allowance account in absolute value – a contra account to the HFS loan or financing receivable. </p><p>For a loan or financing receivable classified as HFI but accounted for under the FVO (HFI FVO), if the loan is determined to be classified as Loss, the Loss-classified balance is calculated as any excess of the asset’s amortized cost basis over its fair value. The Loss-classified balance should equal the balance of the valuation allowance account in absolute value – a contra account to the HFI FVO loan or financing receivable.</p><p>For an REO classified as HFS, the Loss-classified balance is calculated as any excess of the REO’s initial carrying amount over its fair value less cost to sell. The Loss-classified balance should equal the balance of the valuation allowance account in absolute value – a contra account to the HFS REO. </p><p>As provided in Advisory Bulletin 2021-03, to comply with U.S. GAAP, the Loss-classified balance of assets classified as HFS (including HFS FVO) or classified as HFI but accounted for under the FVO (HFI FVO) should not be written off. Therefore, if in the next period, there is an increase in (i) the fair value of HFS (including HFS FVO) or HFI FVO loan or (ii) the fair value less cost to sell of HFS REO, the calculated Loss-classified balance would be reduced to reflect the increase in the sources of recovery.</p><p>If the Enterprises elected to write off AIR in a timely manner (i.e., when transitioning a loan from accrual to nonaccrual status), the Loss-classified balance is equal to the write-off amount. </p><p>For off-balance-sheet credit exposures that are neither unconditionally cancellable nor accounted for as derivatives and insurance contracts, if an exposure is determined to be classified as Loss, the Loss-classified balance should equal the balance of the liability recognized in absolute value, in accordance with U.S. GAAP.<a href="#Ftn5" class="super-script">5</a> Since the exposures are off-balance-sheet, the guidance to write off the Loss-classified balance is not applicable. Therefore, in the next period, if there is an increase in the sources of recovery, the calculated Loss-classified balance would be reduced accordingly.</p><p style="padding-top&#58;16px !important;"> <strong>8.&#160;&#160;How should the remaining balance of an asset be classified after the Loss-classified balance has been calculated? </strong></p><p>For any period in which a Loss-classified balance of an asset exists, the remaining balance of the asset should be classified as Substandard. However, for AIR, since the Loss-classified balance is calculated as the entire amortized cost basis of previously recognized but uncollected interest receivable, there would be no remaining balance left to be classified. </p><p>In the subsequent periods, the classification of the remaining balance should follow the general classification guidance. However, for loans associated with a borrower who is in bankruptcy, after the Loss-classified balance is written off, any loan balance remaining should continue to be classified as Substandard until the borrower demonstrates the ability and willingness to repay for a period of at least six consecutive months. </p><p style="padding-top&#58;16px !important;"> <strong>9.&#160;&#160; For a borrower in bankruptcy, how should the phrase “until the borrower demonstrates the ability and willingness to repay for a period of at least six consecutive months” be interpreted? </strong></p><p>When a borrower is in bankruptcy, the Enterprises should receive timely monthly contractual payments for six consecutive months to be eligible for re-classification. After that period, the loan balance remaining after write-off would no longer need to be classified as Substandard based on delinquency.</p><p style="padding-top&#58;16px !important;"> <strong>10.&#160;&#160;How should loans from borrowers that have declared bankruptcy but remain current on their payments be classified? </strong></p><p>Loans associated with a borrower who is in bankruptcy and remains current on their payments need not be written-off. However, if it cannot be demonstrated and documented that full repayment is likely to occur, any portion of the loan balance in excess of the sum of (i) current fair value of the collateral, less costs to sell, and (ii) any expected proceeds from non-freestanding credit enhancements should be classified as Loss and written off within 60 days of receipt of the notification of filing from the bankruptcy court or within the delinquency time frames specified in Advisory Bulletin 2021-03, whichever is shorter. Any loan balance remaining after write-off should be classified as Substandard until the borrower demonstrates the ability and willingness to repay for a period of at least six consecutive months.</p><p style="padding-top&#58;16px !important;"> <strong>11.&#160;&#160;When a borrower files for bankruptcy, what form of documentation would clearly demonstrate and document that repayment is likely to occur? </strong></p><p>The Enterprises should document that the borrower is likely to repay the loan. Examples of appropriate documentation are the borrower’s formal reaffirmation of the debt, and/or documented evidence that the borrower has a financial capacity and intention to repay the loans. The Enterprises may consider the borrower’s payment history and loan status (e.g., the loan is current at the time of the bankruptcy filing and has no prior delinquencies) when evaluating whether repayment is likely to occur. ​</p><p style="padding-top&#58;16px !important;"> <strong>12.&#160;&#160;Why are fraudulent loans not covered by representations and warranties written off within 90 days of discovery? </strong></p><p>Loans tainted by fraud are of such questionable value that they should not be recognized as an asset on the balance sheet. The timing of any potential collection is uncertain notwithstanding a perfected security interest in the collateral or collateral fair value that would otherwise provide protection against loss. Amounts ultimately collected should be recorded as a recovery. ​</p><p style="padding-top&#58;16px !important;"> <strong>13.&#160;&#160; Is it acceptable to write off an asset before it is classified as Loss? </strong></p><p>Advisory Bulletin 2021-03 states that the write-off associated with any Loss classification should be taken by the end of the month in which the applicable time period elapses. For example, the Enterprises should apply Advisory Bulletin 2021-03 to evaluate and classify a single-family residential mortgage loan as Loss no later than when the loan is 180 days delinquent. The Enterprises should also write off the portion of the loan classified as Loss, except in certain limited circumstances, such as when the loan is classified as HFS or accounted for under the FVO (refer to Question 7).</p><p>However, U.S. GAAP<a href="#Ftn6" class="super-script">6</a>​ also requires an entity to recognize a full or partial write-off of a financial asset in the period in which the financial asset is deemed uncollectible, which could sometimes occur before a loan is classified as Loss, such as when a non-performing single-family residential mortgage loan is transferred from HFI to HFS. Therefore, in these instances, the Enterprises may write off a single-family residential mortgage loan before it is classified as Loss. </p><p style="padding-top&#58;16px !important;"> <strong>14.&#160;&#160; Should a loan that has a borrower-initiated modification be listed as Special Mention for six months? </strong></p><p>Advisory Bulletin 2021-03 does not specifically distinguish between modifications that are initiated by the borrower or another party, such as the servicer. Rather, Advisory Bulletin 2021-03 establishes performance-based indicators for classifying delinquent loans that are not otherwise well-secured and in process of collection. Thus, a borrower-initiated loan modification, which is (i) not related to a credit issue, (ii) not adversely classified, and (iii) does not evidence potential weaknesses or deficiencies in administration, may avoid a classification of Special Mention.​</p><h1> <span> <em> <strong>Related Guidance​</strong></em></span></h1><p style="padding-top&#58;6px !important;"> ​ <em>F​ramework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention,&#160;</em>FHFA Advisory Bulletin 2021-03​, August 25, 2021.</p><p>FASB ASC 326, <em>Financial Instruments – Credit Losses</em>.</p><p>FASB ASC 820, <em>Fair Value Measurement</em>​.​<br></p><hr />​​ <p class="FootNote"> <a name="Ftn1" class="super-script">1</a> ​<a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/2021-03_AB-Framework-for-Adversely-Classifying-Loans.pdf">FHFA Advisory Bulletin 2021-03&#58; <em>Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention</em></a>, August 2021.</p><p class="FootNote"> <a name="Ftn2" class="super-script">2&#160;</a><em>See</em> Financial Accounting Standards Board (FASB)’s Accounting Standards Codification (ASC) 326, <em>Financial Instruments – Credit Losses.</em> </p><p class="FootNote"> <a name="Ftn3" class="super-script">3&#160;</a><em>See</em> FASB ASC 820, <em>Fair Value Measurement</em>.</p><p class="FootNote"> <a name="Ftn4" class="super-script">4&#160;</a><em>See</em> FASB ASC 326, <em>Financial Instruments – Credit Losses</em>.</p><p class="FootNote"> <a name="Ftn5" class="super-script">5&#160;</a><em>See</em> FASB ASC 326, <em>Financial Instruments – Credit Losses</em>.</p><p class="FootNote"> <a name="Ftn6" class="super-script">6&#160;</a><em>See</em> FASB ASC 326, <em>Financial Instruments – Credit Losses</em>​.</p> <br> <table class="NoteTable" style="border&#58;1px solid #000000 !important;"><tbody><tr><td style="padding&#58;5px !important;">​ ​FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. &#160;&#160; </td></tr></tbody></table> ​ <br> ​​ <div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 9ab18f66-0cfa-40e1-8da2-f4fcb0254457" id="div_9ab18f66-0cfa-40e1-8da2-f4fcb0254457" unselectable="on"></div><div id="vid_9ab18f66-0cfa-40e1-8da2-f4fcb0254457" unselectable="on" style="display&#58;none;"></div></div>​​ 8/17/2023 5:00:40 PM[view PDF of Advisory B​ulletin 2023-04 The Federal Housing Finance Agency (FHFA) is issuing this Advisory Bulletin as supplemental guidance to FHFA Advisory Bulletin 2021-03 4243https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management39067All1/13/2023 5:00:00 AMAB 2023-02<tbody><tr><td><p> <span>​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ADVISORY BULLETIN</span></p><p> <span>AB 2023-02&#58;&#160; Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management​</span></p><p> <span> <a>[view&#160;PDF of Advisory&#160;Bulletin 2023-02]</a>&#160; &#160;</span>​<br></p></td></tr></tbody></table><h1> <span> <em> <strong>Purpose</strong></em></span></h1><p>The Federal Housing Finance Agency (FHFA) is issuing this Advisory Bulletin (AB) as supplemental guidance to FHFA AB 2017-02&#58; <em>Information Security Management</em>, published on September 28, 2017.<a>[1]</a> This AB is applicable to Freddie Mac, Fannie Mae,<a>[2]</a> the Federal Home Loan Banks, and the Office of Finance (OF) (collectively, the regulated entities<a>[3]</a>) and clarifies FHFA’s existing guidance and provides insight on industry trends.</p><h1> <span> <em> <strong>Background</strong></em></span></h1><p>Since the publication of AB 2017-02&#58; <em>Information Security Management</em>, new cybersecurity threats have emerged, and existing threats have evolved. As the cyber landscape continues to change, FHFA expects the policies, procedures, and practices that the regulated entities use to ensure safe and sound information security risk management to evolve accordingly. The regulated entities’ information security management program should be commensurate with the level of risk and complexity of its threats and should be periodically reviewed to verify that it reflects industry standards. This AB elaborates on and clarifies elements of AB 2017-02&#58; <em>Information Security Management</em>, and FHFA expects each regulated entity to individually assess the risks associated with protecting the confidentiality, integrity, and availability of its information. FHFA expects the regulated entities to protect their information technology (IT) environments using a risk-based approach to determine the appropriate activities to include in a comprehensive program. </p><h1> <span> <em> <strong>Guidance</strong></em></span></h1><p>This AB’s guidance is organized by illustrative questions that a reader may have when considering the emergence of new cybersecurity threats and the evolution of existing threats since the publication of AB 2017-02&#58; Information Security Management. Each regulated entity’s program should consider adopting appropriate industry standards commensurate with the complexity and risk profile of the entity, such as those promulgated by the National Institute of Standards and Technology (NIST).<a>[4]</a> </p><p> <strong>1.&#160;&#160;How does cyber resiliency factor into AB 2017-02&#58; <em>Information Security Management?</em></strong></p><p>Cyber resiliency can be defined as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”<a>[5]</a> The regulated entities should secure their IT systems in order to continually deliver business operations during cyber events and incidents and/or breaches; remain prepared to detect and respond to compromises to mission critical functions from potential threats; and minimize disruption from an event, incident, or breach.<a>[6]</a></p><p>The confidentiality, integrity, and availability of key regulated entity systems and data should inform information security management at the regulated entities. Incidents affecting the confidentiality, integrity, and availability of systems can significantly impair the operations of the regulated entities. For these reasons, the regulated entities should consider adopting cyber resiliency standards such as those outlined in NIST publications,<a>[7]</a> such as planned redundancy, network segmentation, and strategic contingency planning with third parties to maximize the continuity of business operations.</p><p> <strong>2.&#160;&#160;How can the regulated entities manage the risk from current information security threats?</strong></p><p>The regulated entities should be able to react to and consider the threats outlined below, among others, that expand on the concepts outlined in AB 2017-02&#58; <em>Information Security Management</em>. The regulated entities should also remain familiar with emerging risks and mitigants within the industry by participating in financial sector information sharing workstreams (e.g., FSSCC, FS-ISAC).<a>[8]</a> FHFA expects a continual practice of cyber hygiene such as scanning for and timely patching of vulnerabilities and conducting penetration tests.</p><p>​<span>Social Engineering</span></p><p>Social engineering exploits weaknesses in people rather than in technology. Often, social engineering attackers gather information to support the beginning stages of a sophisticated attack. By improving awareness and implementing technical measures, the regulated entities reduce the chance of social engineering leading to a successful cyberattack.</p><p>Phishing, or similar business email compromise (BEC) attacks, continues to be a commonly used social engineering tactic. Cyber attackers can be innovative and adopt new and creative social engineering tactics to trick company employees into disclosing their credentials or other non-public information. Email and web gateway servers can help defend against BEC attacks through URL filtering. The regulated entities should ensure that these defenses are frequently updated. Additionally, the regulated entities should, as a matter of routine, ensure they update security awareness trainings regularly, conduct social engineering testing (e.g., phishing simulations), and review network device configurations to ensure only legitimate traffic is allowed.</p><p> <span>Malware &amp; Ransomware</span></p><p>While the regulated entities may not be able to prevent being the target of malware and ransomware attacks, having appropriate operational resiliency measures can reduce the effect of these incidents on business operations. Each regulated entity should maintain a communications plan with response and notification procedures for a ransomware incident within its broader incident response plan. The procedures and plans should be tested regularly. All critical information should be regularly backed up as immutable data. Each regulated entity should test the ability to resume critical business processes using backups in a timely manner. The regulated entities should enable spam filters to prevent phishing emails from reaching end users, authenticate inbound email, and use behavior-based malware protection on servers and endpoints. Furthermore, the regulated entities should analyze the need to financially insure against ransomware.</p><p> <span>Accounts</span></p><p>The regulated entities should have individually attributable accounts for accessing IT assets and prohibit the sharing of user accounts. The use of shared accounts increases the risk of sharing passwords and typically will not allow for an attributable audit trail of activity. Furthermore, the regulated entities should enforce security controls over individual and privileged accounts, such as multi-factor authentication. Privileged accounts should be managed centrally and more stringently than non-privileged user accounts. Privileged accounts should be limited to only those who require elevated privileges for specific actions. For example, a privileged account should only be used for approved business purposes. </p> ​ <p><span>Cybersecurity Supply Chain Risk Management&#160;</span><a>[9]</a><br></p><p>The regulated entities increasingly rely on suppliers to support critical functions, which potentially exposes the regulated entities to additional cybersecurity risk. These suppliers have their own suppliers, creating extended supply chains. Complex supply chains and cyber threat actors targeting supplier and acquirer networks increase the importance of supply chain resilience, business continuity, and disaster recovery planning. The regulated entities should consider the following supply chain risk mitigation activities to enhance their third-party risk and business resiliency management programs.<a>[10]</a></p><p>The regulated entities should manage risk from unexpected interruptions to the supply chain to ensure business continuity. Examples of potential disruptions include suppliers ceasing support for hardware and software, merger, acquisition, or change in leadership.<a>[11]</a> The regulated entities should proactively identify risks arising from potential disruptions and mitigate the risks accordingly. The regulated entities will benefit from including contractual provisions to modify or terminate a contract if the supplier is no longer able to meet regulated entity’s requirements. Furthermore, the regulated entities should consider incorporating lessons learned from prior supply chain incidents into planning, response, and recovery processes, and sharing such lessons learned with appropriate parties within the regulated entity.</p><p>The regulated entities should consider strengthening their supplier management programs to monitor for potential security and privacy risks. This includes ensuring that suppliers are meeting regulated entity cybersecurity requirements and remediating any identified issues per agreed-upon timelines. The regulated entities should assess significant suppliers on a regular basis to identify potential changes to the suppliers’ risk profile. </p><p> <strong>3.&#160;&#160;How do third-party provider relationships introduce user access management risks?</strong></p><p>To elaborate on the security risks identified in AB 2018-08&#58; <em>Oversight of Third-Party Provider Relationships</em>, the regulated entities’ engagement with third-party providers can increase user access management risks if external users access the regulated entity’s network and data. If the third-party provider’s contract does not outline specific user access requirements, third-party users may not be subject to sufficiently stringent access controls, and the regulated entities may have insufficient transparency and visibility into the third party’s controls over their users. Finally, poor user access management within third-party providers’ own networks can increase the risk of disclosure of non-public information. As a result, the regulated entities should consider the cyber posture of a third party prior to engagement with the third party. The regulated entities should incorporate the access management guidance provided in this AB into the third-party risk management program, as well as the policies and procedures that implement the guidance detailed in AB 2016-04&#58; <em>Data Management and Usage</em>.<a>[12]</a> </p><p> <strong>4.&#160;&#160;How can information security be addressed at third-party providers?</strong></p><p>Information security risks should be addressed as early as possible during the third-party provider risk management life cycle. The degree of due diligence performed on the third-party providers’ information security program should be commensurate with the risk to the regulated entity’s confidentiality, integrity, and availability of systems and information. The regulated entity should determine if the third party has cybersecurity insurance and the extent and provisions of its coverage. If the third party uses subcontractors,<a>[13]</a> the regulated entity should understand the third party’s ability to control the subcontractors’ access. The regulated entity should approve subcontractor access to its IT systems or data based on the potential risk to the regulated entity. If applicable, the third party should fully disclose the extent of the subcontractors’ access to regulated entity data. Furthermore, if a third party loses or otherwise compromises regulated entity data, the third party should be contractually obligated to notify the affected regulated entity within an agreed-upon timeframe. The third party should have policies, procedures, certifications, and/or accreditations describing its information security program. Information security related expectations for the third party should be explicitly outlined in the contract.</p><p>In addition to performing due diligence and contract negotiation, the regulated entities should conduct ongoing monitoring (and where necessary, on-site reviews) of a third-party provider’s information security program. Periodically, third-party providers should be required to attest that they meet contractually agreed-upon information security requirements, including robust risk management over their own third parties. The regulated entities should also review independent reports on a third-party provider’s security program, such as ISO 27001 certification, and PCI compliance and control reports (e.g., Service Organization Control). As part of ongoing monitoring of the third-party provider, the regulated entities should regularly monitor news, social media, and intelligence feeds for issues that may raise concerns regarding a third-party provider’s information security posture. In scenarios that warrant heightened risk monitoring, the regulated entities may use external third-party providers that specialize in supply chain cyber risk assessments to perform ongoing monitoring over the extended supply chain. </p><p> <strong>5.&#160;&#160;What are examples of appropriate password safeguards?</strong></p><p>To address common attacks, industry best practices recommend a defense-in-depth strategy.<a>[14]</a> Multi-factor authentication is a strong preventative measure against most password attacks. To elaborate on AB 2017-02&#58; <em>Information Security Management</em>, each regulated entity’s program should align with appropriate industry standards on multi-factor authentication, such as those promulgated by NIST, commensurate with the complexity and risk profile of the entity.<a>[15]</a> The regulated entities should also use detective measures such as logging and monitoring failed authentication attempts. Because industry best practices, such as password composition recommendations, adapt frequently to the changing threat landscape, the regulated entities should also review authentication protocols and rules at least annually.</p><p>Additionally, employees and/or contractors should be given the least privilege necessary to perform their job duties. The regulated entity should identify an appropriate party to review privileges regularly, commensurate with the asset’s risk profile. Actions taken using elevated privileges should be monitored. Logs of elevated privilege actions should be parsed into a security information and event management (SIEM) tool.</p><p>To elaborate on the guidance on remote access management set forth in AB 2017-02&#58; <em>Information Security Management</em>, the regulated entities should account for “non-traditional” device<a>[16]</a> access to the network and adapt password security policies, procedures, and standards accordingly. The regulated entity’s management and monitoring of all mobile devices connected to its network through an established mobile device or application management program is critical to promoting sound endpoint security.</p><p>As part of a strong information security culture, training users on security awareness and strong password management techniques can help employees mitigate user access risks. In addition to requiring training on regulated entity policies, procedures, and standards, regulated entities should periodically educate employees on both common and novel password security threats.​</p><p> <strong>6.&#160;&#160;How can the regulated entities address user access management risk given the new threat environment?</strong></p><p>The regulated entities’ information security programs should address risks associated with user access management. In recent years, cyber attackers accessed more entry points (e.g., off-premises “non-traditional” devices, traditional on-premises systems, and the Internet of Things<a>[17]</a>) and used more sophisticated methods of targeting users. Cyber attackers have targeted users with network access to escalate their own privileges and pivot within the network. Thus, the regulated entities should monitor user access, conduct user access reviews, and remove user access when no longer needed. Furthermore, the regulated entity should identify the access necessary for a user to perform job duties before granting access.</p><p> <strong>7.&#160;&#160;What measures can be taken to mitigate the risk of unauthorized privilege escalation?</strong></p><p>Measures taken to mitigate the risk of privilege escalation may be incorporated into multiple layers of the regulated entity’s defense-in-depth posture. Security researchers note that efforts should start with defending against intrusions early in the chain of activities leading to privilege escalation. </p><p>The regulated entities should disable unnecessary or unused services, block unnecessary or unused ports, and use automated command-shell tools (e.g., PowerShell) with discretion. Additionally, the regulated entities should harden defenses at endpoints by appropriately configuring applications such as email and web browsers and limiting executables. </p><p>Attacks using remote desktop protocol and software have increased as more employees work remotely. Unauthorized parties may remotely access a network and escalate privileges to conduct an attack. The regulated entities should avoid the use of default passwords and reliance on default settings for remote desktop technology. The regulated entities may further secure remote access by enforcing strong controls such as requiring multi-factor authentication, patching, and updating software, and restricting access using firewalls. </p><p>Additionally, unauthorized privileged escalation risk may be mitigated by applying principles such as “Zero Trust”<a>[18]</a> from industry best practices of granular and specific access permissions&#58; </p><ul><li>The regulated entities may consider continuously reauthenticating a user rather than granting static authentication at the beginning of a user’s session.</li><li>Regularly review users with administrative or otherwise privileged access and deprovision access once the user no longer needs it.<a>[19]</a></li></ul><p> <strong>8.&#160;&#160;How can the regulated entities mitigate risks presented by incorporating new technology into existing infrastructure?</strong></p><p>New technology may require a learning curve before it is managed effectively. Therefore, it is beneficial for the regulated entities to have reliable and proven processes in place for designing and maintaining a secure and resilient enterprise IT architecture before introducing new technologies. Systems should be evaluated in a test environment before they are incorporated into the production environment. </p><p>The regulated entities may consider developing a risk-based security strategy integrated with the business strategy that defines its appetite for risks posed by new technology. Furthermore, the regulated entities should establish appropriate governance processes for new technology, including risk assessment, and ensure relevant controls are in place prior to the new technology’s implementation. Once the new technology is in use, the regulated entity should continue to monitor and evaluate its risks. If new technology is replacing old technology, the regulated entities should ensure that they properly secure and retire any legacy infrastructure. The regulated entities should have a process in place to train users on any system migrating into production. This can be either formal training or a transfer of knowledge from users of a system in the test environment.</p><p> <strong>9.&#160;&#160;How does information security management of cloud environments differ from information security management of on-premises environments?</strong></p><p>Whereas AB 2018-04&#58; <em>Cloud Computing Risk Management</em>,<a>[20]</a> covers differences between the cloud environment and the on-premises environment and details third-party cloud provider management and information security, the sections below provide additional detail to the cloud information security operations topics parallel to Section III&#58; Operations in AB 2017-02&#58; <em>Information Security Management</em>.</p><p> <span>Continuous Monitoring</span></p><p>The regulated entity should integrate any cloud monitoring and logging tools into an existing SIEM platform for centralized threat detection and management. Most leading cloud service providers (CSP) offer built-in monitoring and logging tools, but the customers are responsible for configuring these tools. If a regulated entity chooses to use a CSP tool, the regulated entity should understand the tool’s capabilities. </p><p> <span>Vulnerability Management</span></p><p>The vulnerability management concepts outlined in AB 2017-02&#58; <em>Information Security Management</em> apply to the cloud environment. Vulnerability management of cloud infrastructure is typically managed by the CSP; however, in a platform-as-a-service and infrastructure-as-a-service model, the customer is responsible for vulnerability management in the cloud. The regulated entities should prioritize vulnerability management for cloud applications at the start of the cloud build processes rather than as an afterthought at the end.</p><p> <span>Baseline Configuration</span></p><p>Regulated entities should include cloud-based IT assets in the IT inventories referenced in AB 2017-02&#58; <em>Information Security Management</em>. The process for baselining and monitoring IT asset configurations should be the same for both on-premises and cloud-hosted assets. Baseline configurations are especially important for virtual servers that are decommissioned and then recommissioned using established baselines. Secure baseline configurations should be established based on manufacturer or industry best practice. Additionally, leading CSPs provide security configuration guidelines for foundational services used for establishing connectivity, authentication, data access, and encryption settings. The regulated entities should identify and adopt appropriate baseline configuration standards that ensure a comprehensive view of potential security configuration gaps within all its cloud-based services and provide assurance that the cloud-based IT environment is configured to maintain the expected level of protection against threats to data.</p><p> <span>Asset Lifecycle</span></p><p>With more critical processes moving to cloud environments, some asset management responsibilities could shift to the CSP. The regulated entities should continue to maintain an asset lifecycle program as detailed in AB 2017-02&#58; <em>Information Security Management</em>. While the regulated entities may have fewer physical infrastructure assets such as servers, the regulated entities may need to enhance asset lifecycle policies and procedures to reflect trends such as BYOD (bring your own device) and increased teleworking. The regulated entities should consider how “nontraditional” devices fit into their asset lifecycle.</p><p> <span>Incident Response and Recovery</span></p><p>The regulated entities should evaluate the design and operating effectiveness of the CSP’s incident response controls. Each Enterprise is expected to meet the provisions of AB 2020-05&#58; <em>Enterprise Cybersecurity Incident Reporting</em>, in the event of a cybersecurity incident at a CSP that compromises the confidentiality, integrity, or availability of an Enterprise asset.<a>[21]</a> Similarly, each Federal Home Loan Bank is expected to meet data reporting provisions established by FHFA’s Division of Federal Home Loan Bank Regulation.</p><p> <span>Awareness and Training</span></p><p>The regulated entities should consider how using cloud technology affects the existing information security culture. Existing policies and procedures may need to be modified or supplemented to provide personnel with adequate information on securely developing and using cloud-based applications. As needed, the regulated entities should administer cloud-specific training to provide personnel with a baseline understanding of cloud systems. The regulated entities should administer role-based training to users with access to cloud systems, with more rigorous training required for those with privileged access.</p><p> <span>User Access Management</span></p><p>When virtually connecting to a CSP, the regulated entities should extend existing user identity and access management policies such as federation<a>[22]</a> to the cloud. The regulated entities should tie identities to a centralized internal identity and consider the use of identity brokers where appropriate.</p><p> <span>Threat Intelligence Sharing</span></p><p>Most cloud industry leaders offer built-in threat intelligence services and publish whitepapers on using these services. Cloud customers are responsible for enabling and configuring these services. CSPs, federal agencies such as the Cybersecurity and Infrastructure Security Agency, and third-party security providers also produce alerts. The regulated entities’ existing SIEM framework should incorporate these alerts. The regulated entities should continue to participate in private and public threat intelligence coordination. As a small number of CSPs are heavily used within the financial sector, information exchange on threats affecting these platforms promotes financial sector security and resiliency. </p><p> <span>Encryption</span></p><p>In addition to the guidance provided in Section III of AB 2017-02&#58; <em>Information Security Management</em>, the regulated entities should also incorporate cloud encryption and key management concepts into policies and procedures. The regulated entities should define what data need to be encrypted and where the data are stored and then implement encryption and key management accordingly. For certain types of data that have specific regulatory or statutory requirements, each regulated entity should carefully evaluate whether the encryption of such data and the location in which such data are stored within a cloud environment comply with these requirements. Regulated entity information security personnel should work with their organization’s compliance and legal staff to clearly understand all applicable encryption-related laws and regulation and to ensure ongoing compliance. Many CSPs offer key management services; therefore, the regulated entities and their CSPs should agree upon roles and responsibilities for key storage and management services and document them in their service contracts. The regulated entities should adopt NIST standards to implement encryption and key management appropriately.<a>[23]</a> </p><p> <strong>10.&#160;&#160;How should the information security program adapt to changing privacy laws?</strong></p><p>As many privacy laws are enacted at the state rather than the federal level, the regulated entities should continuously monitor the applicability of and their compliance with new and changing state privacy laws, as well as any relevant federal laws. These laws may require changes to the regulated entity’s information security program, as privacy laws may have implications on how and where certain data can be stored, the level of security needed to protect that data, and specific data retention and deletion requirements. For example, some state-specific privacy laws stipulate the level and type of encryption needed for certain kinds of data, the circumstances under which certain information can be shared with a third-party provider, notification requirements for data breaches, and the deletion of certain kinds of information on request. Data encryption should be balanced with data transparency to ensure that the relevant data can be easily located and removed when the law requires it to be deleted. Privacy laws underscore the necessity for the regulated entities to understand what data they own, where it is housed, who has access and for what purposes, and how the data is protected. The regulated entities should maintain a comprehensive and current inventory of all data they own, where data is located, with which third parties their data was shared, and for what purpose. Additionally, because laws may have different requirements and applicability depending on the location of the consumer and the kinds of data involved, regulated entity information security personnel should work with the regulated entity’s privacy, compliance, and legal offices to clearly understand the applicable requirements, best practices, and to ensure ongoing compliance with privacy laws. To effectively anticipate and address the implications of any new activity on privacy compliance and information security, the regulated entities should perform a privacy assessment prior to approving any new activities (including pilot initiatives and the commencement of any new third-party service provider relationship). </p><p> <strong>11.&#160;&#160;What are avenues for discovering vulnerabilities?</strong></p><p> <span>Penetration Testing</span></p><p>The regulated entities should engage third parties to perform independent penetration testing,<a>[24]</a> as well as perform internal penetration testing as necessary. Though penetration testing may proactively identify potential vulnerabilities during the development lifecycle, it generally is used to test a deployed system at any specific point in time and should not be used as a substitute for secure development practices. The regulated entities should conduct penetration tests on systems periodically post-deployment.</p><p> <span>Threat Modeling</span></p><p>The regulated entities may also use established frameworks to perform threat modeling<a>[25]</a> on their systems.​ The regulated entities should embed security protections into information systems by creating a feedback loop of identifying, mitigating, and reassessing threats. Rather than finding vulnerabilities in pre-deployed or deployed systems, the regulated entities may find them during the development process if security is prioritized in the design of the system. Additionally, both technical and non-technical vulnerabilities can be highlighted if threat modeling is performed by both the technical and functional stakeholders throughout the software development lifecycle. The regulated entities may incorporate threat modeling into the ongoing management and monitoring of high-risk systems. </p><p> <span>Vulnerability Disclosure Program</span></p><p>A Vulnerability Disclosure Program (VDP) may enable the regulated entity to learn of vulnerabilities through external parties, such as IT and information security researchers, ethical hackers, etc. The discovery and shared disclosure of previously unknown vulnerabilities enables faster identification and remediation. Additionally, a VDP may potentially mitigate reputational risk if the regulated entities are informed of vulnerabilities through a non-public communication channel rather than through exploitation or publication of the vulnerability on public channels.</p><h1> <span> <em> <strong>Related Guidance​</strong></em></span></h1><p> <em>Enterprise Risk Management Program,</em> FHFA AB 2020-06, December 11, 2020.</p><p> <em>Business Resiliency Management,</em> FHFA AB 2019-01, May 7, 2019.</p><p> <em>Oversight of Third-Party Provider Relationships,</em> FHFA AB 2018-08, September 28, 2018.</p><p> <em>Cloud Computing Risk Management,</em> FHFA AB 2018-04, August 14, 2018.</p><p> <em>Information Security Management,</em> FHFA AB 2017-02, September 28, 2017.</p><p> <em>Internal Audit Governance and Function,</em> FHFA AB 2016-05, October 7, 2016.</p><p> <em>Data Management and Usage,</em> FHFA AB 2016-04, September 29, 2016.</p><p> <em>Operational Risk Management,</em> FHFA AB 2014-02, February 18, 2014.</p>​ <hr />​​ <p> <a>[1]</a><a>AB 2017-02&#58; <em>Information Security Management</em>, September 2017</a>.</p><p> <a>[2]</a> Common Securitization Solutions, LLC (CSS) is an “affiliate” of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended. 12 U.S.C. 4502(1), and this AB applies to it. </p><p> <a>[3]</a> The OF is not a “regulated entity” as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. See 12 U.S.C. 4502(20). However, for convenience, references to the “regulated entities” in this AB should be read to also apply to the OF. </p><p> <a>[​4]</a> If a regulated entity chooses not to adopt or adhere to the NIST standards, the regulated entity could nevertheless meet FHFA’s supervisory expectations by demonstrating to the examiner’s satisfaction that adoption and adherence to a comparable set of current industry standards is safe and sound information security management.</p><p> <a>[5]</a> Defined in NIST SP 800-160 Vol. 2 Rev. 1, December 2021.</p><p> <a>[6]</a> Refer to <a>AB 2019-01&#58; <em>Business Resiliency Management</em></a>, for more information related to an entity’s ability to minimize disruptions and maintain business operations at predefined levels.</p><p> <a>[7]</a><em>See footnote 4.</em></p><p> <a>[8]</a><em>E.g.</em>, The Financial Services Sector Coordinating Council and Financial Services Information Sharing and Analysis Center.</p><p> <a>[9]</a> Defined in NIST SP 800-161r1, May 2022.</p><p> <a>[10]</a> Refer to <a>AB 2018-08&#58; <em>Oversight of Third-Party Provider Relationships</em></a>, for expectations related to the regulated entities’ risk management of third-party suppliers.</p><p> <a>[11]</a><em>See</em> NIST IR 8276, Key Practices in Cyber Supply Chain Risk Management&#58; Observations from Industry.</p><p> <a>[12]</a><a>AB 2016-04&#58; <em>Data Management and Usage</em>, September 2016</a>.</p><p> <a>[13]</a> Subcontractors are also referred to as fourth parties.</p><p> <a>[14]</a> Defined in NIST SP 800-53 Rev. 5, September 2020.</p><p> <a>[15]</a><em>See footnote 4.</em></p><p> <a>[16]</a><em>E.g.,</em> smartphones, tablets, wearable technology.</p><p> <a>[17]</a> Defined in NIST SP 800-172, February 2020.</p><p> <a>[18]</a> Defined in NIST SP 800-207, August 2020. </p><p> <a>[19]</a> For more information on “Zero Trust” principles, see <a>NIST Special Publication 800-207&#58; Zero Trust Architecture</a> (2020). </p><p> <a>[20]</a><a>AB 2018-04&#58; <em>Cloud Computing Risk Management</em>, August 2018</a>.</p><p> <a>[21]</a><em>See</em><a>AB 2020-05&#58; <em>Enterprise Cybersecurity Incident Reporting</em></a>, for FHFA’s definition of a “reportable cybersecurity incident.”</p><p> <a>[22]</a> Defined in NIST SP 800-63 Rev. 3, June 2017.</p><p> <a>[23]</a><em>See footnote 4.</em></p><p> <a>[24]</a> Defined in NIST SP 800-95, August 2007.</p><p> <a>[25]</a> Defined in NIST SP 800-53 Rev. 5, September 2020.​<br></p><div><div><table><tbody><tr><td><p>​FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a>SupervisionPolicy@fhfa.gov</a>. &#160;&#160;<br></p></td></tr></tbody></table> ​ ​​ <div><div></div><div></div></div>​​ <br></div></div>1/14/2023 4:17:39 PMHome / Supervision & Regulation / Advisory Bulletins / Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management Advisory Bulletin 8630https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Valuation of Mortgage Servicing Rights for Managing Counterparty Credit Risk39045Fannie Mae & Freddie Mac1/12/2023 5:00:00 AMAB 2023-01<table width="100%" class="ms-rteTable-default" cellspacing="0" style="margin&#58;0px;padding&#58;0px;line-height&#58;inherit;font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;vertical-align&#58;baseline;table-layout&#58;fixed;border-spacing&#58;0px;font-stretch&#58;inherit;background-color&#58;#ffffff;"><tbody style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><tr style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><td class="ms-rteTable-default" style="font&#58;inherit;margin&#58;0px;width&#58;776px;"><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">​​​​​​​​​​​​​​​​​​​​​​​​​ADVISORY BULLETIN</span></p><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">AB 2023-01&#58;&#160; Valuation of Mortgage Servicing Rights for Managing Counterparty Credit Risk</span></p><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;"> <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2023-01_Valuation-of-Mortgage-Servicing-Rights-for-Managing-Counterparty-Credit-Risk.pdf">[view&#160;PDF of Advisory&#160;Bulletin 2023-01]</a>&#160; &#160;</span>​<br></p></td></tr></tbody></table><h1> <span style="text-decoration&#58;underline;"> <em> <strong>Purpose</strong></em></span></h1><p>This Advisory Bulletin communicates FHFA’s supervisory expectations for Fannie Mae and Freddie Mac (collectively, the Enterprises or individually, an Enterprise) to establish and implement risk management policies and procedures for monitoring and valuing seller/servicers’ mortgage servicing rights (MSRs).<a href="#footnote1" class="super-script">[1]</a><span class="super-script">,</span><a href="#footnote2" class="super-script">[2]</a>​ Enterprise-wide risk management policies and procedures should be commensurate with an Enterprise’s risk appetite, and based on an assessment of seller/servicer financial strength and MSR risk exposure levels. Although seller/servicers assign values to their MSRs, the Enterprises should have their own processes to evaluate the reasonableness of seller/servicer MSR values. </p><p>This bulletin applies to only MSRs for single-family mortgage loans and is effective April 1, 2023. </p><h1> <span style="text-decoration&#58;underline;"> <em> <strong>Background</strong></em></span></h1><p style="padding-top&#58;8px !important;">FHFA’s Prudential Management and Operations Standards set forth guidance in Part 1236’s Appendix A that the Enterprises should have overall risk management processes that ensure the identification, management, monitoring, and control of risk exposures. In addition, the overall risk management processes should include timely, accurate, informative risk reports, and alignment of the Enterprise’s overall risk profile with its mission objectives. Collectively, the Enterprise’s three lines of risk management - business unit, enterprise risk management, and internal audit - each have ownership responsibilities for identifying, monitoring, assessing, and controlling risks, including those risks attendant to counterparties and the valuation of MSRs.<a href="#footnote3" class="super-script">[3]</a></p><p>The Enterprise relies on seller/servicers to perform mortgage loan servicing activities, which include collecting and remitting monthly payments of principal and interest, and sometimes collecting and remitting taxes and insurance, for mortgage loans it has guaranteed or purchased. Servicing activities also include performing specific requirements for delinquent mortgage loans, including loss mitigation and management of foreclosures. The Enterprise compensates seller/servicers for their loan servicing activities. The right to receive future cash flows from servicing mortgage loans is commonly referred to as an MSR, which seller/servicers typically record as an asset for financial accounting purposes, and whose value is equal to the discounted present value of future cash flows, adjusted for expected prepayment speeds. MSRs can enhance income, capitalization, and collateral for financing of seller/servicers. </p><p>Through their contractual commitments and obligations to the Enterprise, seller/servicers expose the Enterprise to risks the Enterprise should monitor, assess, and control. The Enterprise is exposed to counterparty credit risk when seller/servicers provide representations and warranties that mortgage loans conform with its selling guide requirements. For example, if a mortgage loan does not meet selling guide requirements, the Enterprise may require a seller/servicer to repurchase the defective mortgage loan. A seller/servicer’s selling commitments and servicing obligations are also a source of counterparty risk to the extent that the seller/servicer does not meet selling and servicing requirements. Failure to meet such obligations and commitments may cause the Enterprise to incur credit losses and operational costs. </p><p>The Enterprise mitigates seller/servicer credit risk through a framework of financial eligibility standards, ratings, limits, and ongoing monitoring to assess a seller/servicer’s financial strength and operational practices. MSRs are an important component in the Enterprise’s evaluation of a seller/servicer’s financial capacity. Accordingly, the Enterprise’s three lines of risk management should have an overall risk management framework that ensures MSR values are reasonable, objective, and transparent. </p><h1> <span style="text-decoration&#58;underline;"> <em> <strong>Guidance</strong></em></span></h1><p style="padding-top&#58;6px !important;"> A.&#160;&#160;<em>Object Evaluation of MSR Values</em></p><p>MSR values have a high level of uncertainty due to various factors including interest rate changes, spreads, option volatility, prepayment speeds, and Enterprise termination rights. In addition, market conditions can significantly increase or decrease MSR values as market participants acquire MSRs at varying multiples of cashflow. As such, MSR values can fluctuate greatly even during periods of low market volatility. Seller/servicers and other market participants may value MSRs based on differing model assumptions, levels of sophistication, and strategic objectives. These differences can cause volatile MSR values. For these reasons, the Enterprise should not accept MSR valuations provided by seller/servicers without an independent evaluation. The Enterprise’s counterparty credit risk management policies and procedures should require the Enterprise to estimate its own MSR values based on the Enterprise’s informed assumptions to ensure values are reasonable and transparent to the three lines of risk management. The Enterprise should document the rationale for the MSR valuation and ensure it is appropriate and prudent for its intended use in managing counterparty credit risk. The Enterprise’s counterparty credit risk management policies and procedures should address situations where seller/servicer-provided MSR values are materially different from the Enterprise’s estimated values. The policies and procedures should specify criteria for what constitutes a material difference and how to manage the related counterparty credit risk. </p><p> B.&#160;&#160;<em>MSR Valuations for Mortgage Loans Owned or Guaranteed by the Enterprise and Stress Testing</em></p><p>Many seller/servicers’ MSR portfolios include Fannie Mae, Freddie Mac, Ginnie Mae, and private label mortgage loans. The Enterprise should establish and maintain processes to model MSR values for mortgage loans that it owns or guarantees.<a href="#footnote4" class="super-script">[4]</a> As with any model-driven process, the Enterprise should ensure that model assumptions are reasonable, defendable, and applied in a consistent manner across mortgage loans with similar characteristics. These inputs may include information on mortgage loan characteristics such as unpaid principal balance, coupon rate, and contractual servicing fee, among other data. Assumptions may include interest rates and related forecasts, discount rates, expected prepayment speeds, cost to service, ancillary income, home price forecasts, and unemployment rates, among others. </p><p>In addition to inputs and assumptions, the Enterprise should incorporate stress scenarios to better estimate the potential range of MSR values and their effects on the seller/servicer’s financial capacity. For example, stress testing may include adjusting certain macroeconomic model assumptions to reflect economic downturns. The Enterprise should also incorporate reverse stress testing where certain macroeconomic model assumptions are adjusted such that MSR values may compromise the seller/servicer’s continuing eligibility to conduct business with the Enterprise. </p><p>The Enterprise should ensure that MSR valuation models use sufficient information to support its model outputs and adhere to FHFA’s relevant Advisory Bulletin guidance.<a href="#footnote5" class="super-script">[5]</a></p><p> C.&#160;&#160;<em>MSR Valuations for Mortgage Loans Not Owned or Guaranteed by the Enterprise</em></p><p>The Enterprise should establish and maintain processes to assess MSR values for mortgage loans it does not own or guarantee, but it is unlikely to have sufficient data to model MSR values for such loans (although the lack of sufficient data does not necessarily preclude the Enterprise from modeling MSR values). However, seller/servicers regularly provide the Enterprise with information on their MSR portfolios, such as general mortgage loan characteristics and certain MSR valuation assumptions, along with the MSR value. Some seller/servicers also commission independent audits and third-party valuations that may contain additional MSR portfolio information. Using this information or other appropriate sources, the Enterprise should assess the reasonableness of the seller/servicer’s MSR valuations for mortgage loans that it does not own or guarantee and adjust the valuations accordingly. </p><p> D.&#160;&#160;<em>Market Data Input</em></p><p>Beyond the characteristics of the underlying mortgage loans and prevailing economic conditions, MSR values are significantly influenced by market activity. It is therefore important for the policies and procedures of the Enterprise’s counterparty credit risk management to account for market factors when estimating MSR values. The Enterprise should regularly conduct market research, which may include information on recently traded MSR portfolios, and other proxies for valuation such as servicing fee multiples or capitalized values. This information can be useful in estimating MSR market values and should be used to benchmark values against the Enterprise’s internally produced MSR valuation. Furthermore, during periods where values are high or volatile, the Enterprise should consider potential decreases in MSR market values. </p><p> E.&#160;&#160;<em>Use of Third-Party Providers</em></p><p>The Enterprise may engage third-party providers for various aspects of the MSR evaluation process, which may include providing MSR valuation models and model inputs, information for benchmarking or risk management purposes, or other applicable services or products.<a href="#footnote6" class="super-script">[6]</a>​ To the extent third-party providers are used to model or assess MSR values, the Enterprise should have adequate processes and controls to ensure its understanding and agreement with the third-party provider’s valuation inputs, assumptions, and outputs. Such processes and controls are important for the Enterprise’s independent evaluation of the seller/servicer’s MSR valuation.</p><p> F.&#160;&#160;<em>Frequency of Evaluations</em></p><p>Evaluations of seller/servicer MSRs should be risk-based and consistent with the Enterprise’s risk appetite and counterparty risk management framework. In general, the Enterprise should evaluate MSRs more frequently for seller/servicers with higher volumes and exposure levels. At a minimum, the Enterprise’s counterparty credit risk management policies and procedures should require an evaluation within a reasonable period after seller/servicers report MSR values to the Enterprise.</p><p> G. <em>​ Discount to MSR Values When Servicing Rights Are Terminated </em></p><p>The Enterprise has certain contractual rights to revoke servicing upon a seller/servicer’s failure, default of its obligations, or for other reasons, in which case it may transfer the servicing to another seller/servicer. To plan for adverse financial outcomes during the transfer of the servicing asset, the Enterprise should apply discounts to its estimated MSR values to manage counterparty risk prudently. The discount should reflect economic stress and market uncertainty, including potential price fluctuations, transaction costs, and operational costs incurred during the servicing transfer period. A discounted MSR value can provide the Enterprise a more conservative estimate of its exposure during periods of seller/servicer-specific or broader market stress and can allow the Enterprise to manage counterparty risk more effectively.</p><h1> <span style="text-decoration&#58;underline;"> <em> <strong>Related Guidance and Regulations</strong></em></span></h1><p style="text-align&#58;left;padding-top&#58;8px !important;"> <em>​Model Risk Management,​</em>&#160;FHFA Advisory Bulletin 2013-07, November 20, 2013</p><p style="text-align&#58;left;"> <em>Artificial Intelligence/Machine Learning Risk Management,</em> FHFA Advisory Bulletin 2022-02, February 10, 2022</p><p style="text-align&#58;left;"> <em>Oversight of Single-Family Seller/Servicer Relationships,</em> FHFA Advisory Bulletin 2014-07, December 1, 2014</p><p style="text-align&#58;left;"> <em>Contingency Planning for High-Risk or High-Volume Counterparties,</em> FHFA Advisory Bulletin 2013-01, April 1, 2013</p><p style="text-align&#58;left;"> <em>Oversight of Third-Party Provider Relationships,</em> FHFA Advisory Bulletin 2018-08, September 8, 2018</p><p style="text-align&#58;left;"> <em>Enterprise Risk Management Program,</em> FHFA Advisory Bulletin 2020-06, December 11, 2020</p><p>12 CFR 1236, Prudential Management and Operations Standards, Standard 8 – Overall Risk Management Processes</p><p>12 CFR 1236, Prudential Management and Operations Standards, Standard 9 – Management of Credit and Counterparty Risk​<br></p><hr />​​ <p> <a name="footnote1" class="super-script">[1]</a> The term “Seller/Servicer” as used in this bulletin includes all entities that sell single-family mortgage loans to the Enterprises or perform single-family mortgage loan servicing for the Enterprises. </p><p> <a name="footnote2" class="super-script">[2]</a> An MSR is an expression of the value of a seller/servicer’s rights to service mortgage loans on behalf of the Enterprise and does not create any legal rights of ownership for seller/servicers. These rights to service mortgage loans are contract rights terminable with or without cause by an Enterprise. </p><p> <a name="footnote3" class="super-script">[3]</a> 12 CFR 1236, Prudential Management and Operations Standards, Standard 8 – Overall Risk Management Processes</p><p> <a name="footnote4" class="super-script">[​4]</a> The Enterprise may use a risk-based process to evaluate MSR values for depository institutions since they are generally less reliant on MSRs than other seller/servicers. The risk-based process should involve criteria for assessing rather than modeling their MSR values based on the depository institution’s financial strength or other appropriate factors.</p><p> <a name="footnote5" class="super-script">[5]</a> Relevant FHFA guidance includes AB 2022-02&#58; Artificial Intelligence/Machine Learning Risk Management and AB 2013-07&#58; Model Risk Management, and other guidance as applicable. </p><p> <a name="footnote6" class="super-script">[6]</a> When using third-party providers, the Enterprise should adhere to Advisory Bulletin 2018-08&#58; Oversight of Third-Party Provider Relationships. The Enterprise should identify and mitigate any actual or potential third-party provider conflicts of interests that may be embedded in any data, model, valuations, or other products or services procured.​​<br></p><div><div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-style&#58;normal;font-weight&#58;400;"><tbody><tr><td class="ms-rteTable-default" style="width&#58;776px;"><p>​FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. &#160;&#160;<br></p></td></tr></tbody></table> ​ <div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 5a5d60ae-51e0-4034-bfa9-f5fe9c9536f0" id="div_5a5d60ae-51e0-4034-bfa9-f5fe9c9536f0" unselectable="on"></div><div id="vid_5a5d60ae-51e0-4034-bfa9-f5fe9c9536f0" unselectable="on" style="display&#58;none;"></div></div>​​ <br></div></div>1/12/2023 7:00:40 PMHome / Supervision & Regulation / Advisory Bulletins / Valuation of Mortgage Servicing Rights for Managing Counterparty Credit Risk Advisory Bulletin 18449https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Model Risk Management Guidance38732All12/21/2022 5:00:00 AMAB 2022-03<table width="100%" class="ms-rteTable-default" cellspacing="0" style="margin&#58;0px;padding&#58;0px;line-height&#58;inherit;font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;vertical-align&#58;baseline;table-layout&#58;fixed;border-spacing&#58;0px;font-stretch&#58;inherit;background-color&#58;#ffffff;"><tbody style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><tr style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><td class="ms-rteTable-default" style="font&#58;inherit;margin&#58;0px;width&#58;776px;"><p style="line-height&#58;22px;padding&#58;0px;border&#58;0px currentcolor;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">​​​​​​​​​​​​​​​​​​​​​​​​ADVISORY BULLETIN</span></p><p style="line-height&#58;22px;padding&#58;0px;border&#58;0px currentcolor;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">AB 2022-03&#58;&#160; ​Supplemental Guidance to Advisory Bulletin 2013-07 - Model Risk Management Guidance​</span></p><p style="line-height&#58;22px;padding&#58;0px;border&#58;0px currentcolor;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;"> <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2022-03_Supplemental-Guidance-to-AB-2013-07-Model-Risk-Management-Guidance.pdf">[view&#160;PDF of Advisory&#160;Bulletin 2022-03]</a></span><br></p></td></tr></tbody></table><h1> <span style="text-decoration&#58;underline;"><em><strong>PURPOSE</strong></em></span></h1><p>The Federal Housing Finance Agency (FHFA) is issuing this Advisory Bulletin (AB) as supplemental guidance to FHFA AB 2013-07&#58; Model Risk Management Guidance<em>,</em> published on November 20, 2013.&#160;This AB is applicable to Freddie Mac, Fannie Mae,<a href="#footnote1" class="super-script">[1]</a>​&#160;the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities<a href="#footnote2" class="super-script">[2]</a>) and clarifies and expounds on various topics covered in FHFA's existing guidance.&#160; &#160;</p><p style="text-align&#58;justify;">The intent of this AB's guidance, formatted as Frequently Asked Questions (FAQs), is to provide supplemental guidelines that will address some of the gaps in AB 2013-07 prompted by changes in model-related technologies and questions generated from the expanded use of complex models by the FHLBanks. The supplemental guidance also addresses model documentation, the communication of model limitations, model performance tracking, on-top adjustments, challenger models, model consistency, and internal stress testing.&#160; </p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"> <strong> </strong></span></p><h1> <span style="text-decoration-line&#58;underline;"> <em> <strong>BACKGROUND</strong></em></span></h1><p style="text-align&#58;justify;">Since the publication of AB 2013-07, we have observed changes in model-related technologies which have prompted changes in&#160;guidance and generated questions regarding existing guidance. The advent of cloud technology and artificial intelligence/machine learning techniques have led to FHFA's issuance of specific guidance on these topics.<a href="#footnote3" class="super-script">[3]</a>&#160;However, the issuance of that guidance has created gaps in AB 2013-07.&#160; </p><p style="text-align&#58;justify;">In addition, the FHLBanks have increased the use of models, employing internally developed models as well as complex vendor models. Since the issuance of AB 2013-07, FHFA has also amended the regulation addressing FHLBank capital requirements<a href="#footnote4" class="super-script">[4]</a> and issued related FHLBank guidance on modeling. Specifically, FHFA issued additional guidance on market risk models (AB 2016-02; AB 2018-01) and mortgage credit risk models (AB 2018-02).<a href="#footnote5" class="super-script">[5]</a>&#160;The FHLBanks' expanded model use as well as recent FHFA regulations and guidance applicable to the FHLBanks have also created the need for expanded clarification of AB 2013-07.<a href="#footnote6" class="super-script">[6]</a>&#160; &#160;&#160;</p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"> <strong> </strong></span></p><h1> <span style="text-decoration-line&#58;underline;"> <em> <strong>GUIDANCE​</strong></em></span></h1><p> <strong>1.&#160;&#160;</strong><strong>Model Risk Management Framework</strong></p><p> <strong>1(a).&#160;&#160;</strong><strong>How should “less complex&quot; entities address expectations in AB 2013-07? </strong> <br>Model risk management should be commensurate with a regulated entity's model use and risk exposure. AB 2013-07 provides a distinction between “complex&quot; (Fannie Mae and Freddie Mac) and “less complex&quot; (FHLBanks and OF) entities. Over time, the FHLBanks have expanded the scope, scale, and complexity of their modeling activities. Thus, the FHLBanks and OF should be attentive to changes in the complexity, impact, and scope of their modeling environments and modify their model risk management practices accordingly. Pointedly, the distinction between “complex&quot; and “less complex&quot; does not exempt “less complex&quot; regulated entities from the expectations in AB 2013-07, but it could affect the frequency and rigor of certain model risk management practices. </p><p style="text-align&#58;justify;"> <strong>1(b).&#160;&#160;</strong><strong>Does the existing definition of “model use&quot; in AB 2013-07 encompass all potential model applications considering recent changes to model uses? </strong> <br>AB 2013-07 defines model use “as using a model's output as a key basis for informing business decision-making, managing risk, or developing financial reports.&quot;&#160;The adoption of artificial intelligence and machine learning techniques has expanded the definition of model use beyond business decision-making, risk management, and the development of financial reports. The regulated entities employ artificial intelligence and machine learning for various business processes (<em>e.g</em>., productivity tools such as facial recognition for access management and document digitization).&#160; </p><p style="text-align&#58;justify;">Although FHFA has articulated expectations for risk management of artificial intelligence and machine learning in AB 2022-02&#58; <em>Artificial Intelligence/Machine Learning Risk Management </em>(Feb. 10, 2022), the governance for models used for business decision-making, risk management, and financial reporting should still adhere to the expectations outlined in AB 2013-07.&#160;Models not directly used for those purposes should follow a governance framework commensurate to the risk, consistent with AB 2013-07. For example, if a model is used for scanning and digitizing documents, controls appropriate to the process should be developed to manage the risk. In addition to AB 2013-07, other appropriate FHFA guidance should be considered and applied in those instances.<a href="#footnote7" class="super-script">[7]</a></p><p style="text-align&#58;justify;"> <strong>1(c).&#160;&#160;</strong><strong>​</strong><strong>What are the expectations for mapping of key dependencies on external model-related data, software, storage, and technology?</strong><br>Since the publication of AB 2013-07, FHFA has observed a wider adoption of technologies in the mortgage industry.&#160;Many of these technologies reside externally to the regulated entities and are largely outside of the regulated entities' control. Examples of such technologies are cloud servers, vendor models, and external data used by the regulated entities as inputs for their models. Although FHFA has published guidance related to externally sourced technologies such as AB 2018-04&#58; <em>Cloud Computing Risk Management</em> (Aug. 14, 2018) and AB 2018-08&#58; <em>Oversight of Third-Party Provider Relationships</em> (Sept. 28, 2018), FHFA expects the regulated entities to take a macro-prudential view of the risks posed by externally sourced data and technologies. The regulated entities should map their external dependencies to significant internal systems and processes to determine their systemic dependencies and interconnections. In particular, the regulated entities should have an inventory of key dependencies on externally sourced models, data, software, and cloud providers. This inventory should be regularly updated and reviewed by senior management and presented to the board of directors, as deemed appropriate.<br> </p><p style="text-align&#58;justify;"> ​ <strong>1(d).&#160;&#160;</strong><strong style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">How should a regulated entity treat processes or components of modeling processes that incorporate qualitative elements or judgements?</strong><strong style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">&#160;</strong></p><p style="text-align&#58;justify;">AB 2013-07, in its definition of models, covers quantitative approaches whose inputs are partially or wholly qualitative or based on expert judgment, provided that the output is quantitative in nature.&#160; <br></p><p style="text-align&#58;justify;"> <strong>2.&#160;&#160;</strong><strong>Model Documentation</strong></p><p style="text-align&#58;justify;"> ​ <strong>2(a).&#160;&#160;</strong><strong>What elements should the regulated entities' model use policies and procedures include to ensure that model documentation is sufficient? </strong> <br>For all model uses, a regulated entity should have policies and procedures in place to ensure model owners compile and maintain comprehensive model documentation that is sufficiently detailed to enable a qualified third party to independently operate and maintain a model for each model use. A regulated entity's processes should be designed and operated reliably to maintain comprehensive model documentation that is complete prior to the independent model validation for a specific use. A regulated entity should have processes in place for revising or augmenting the documentation based on the results of the model validation prior to model implementation. Procedures and policies that require updates to model documentation are important to memorialize all model components correctly and comprehensively for each model use.&#160; </p><p style="text-align&#58;justify;"> <strong>2(b).&#160;&#160;</strong><strong>How should a regulated entity address and mitigate the risks associated with model limitations across the model lifecycle? </strong> <br>The regulated entities should clearly document significant model limitations within the model documentation, along with any root causes and mitigation strategies where appropriate. A regulated entity should document and clearly communicate to the model user community model limitations identified during model development and model validation. Model limitations do not only arise from technical limitations. Limitations arise in part from weaknesses in the model because of its various shortcomings, approximations, and uncertainties. Limitations are also a consequence of assumptions underlying a model that may restrict the scope of appropriate use to a limited set of specific circumstances and situations. Decision makers need to understand the limitations of a model to avoid using it in ways that are not consistent with the original intent. <br> </p><p style="text-align&#58;justify;"> <strong>3.&#160;&#160;</strong><strong>Model Validation Program </strong></p><p style="text-align&#58;justify;"> <strong>3(a).&#160;&#160;</strong><strong>Should a regulated entity's internal model validation guidelines provide specific standards for an independent validation?</strong><br>A regulated entity's internal model validation guidelines and practices should align with AB 2013-07's specific standards to ensure independent review and challenge to model assumptions, mathematical formulae, and inputs. The internal guidelines should include a sufficient level of detail to ensure that qualified experts perform the review at a sufficient breadth and depth.&#160;Further, the model validation report should include thorough descriptions of these reviews and relevant outcomes.&#160;An independent model validation should extend beyond an affirmation of the model's correctness and reasonableness.&#160; </p><p></p><p style="text-align&#58;justify;"> <strong>3(b).&#160;&#160;</strong><strong>How should the regulated entities evaluate third-party model validations? </strong> <br>When using an external vendor to complete an independent model validation, the regulated entity's model validation group is accountable for the quality, recommendations, and opinions of any third-party review. When evaluating a third-party model validation, a regulated entity should implement model risk management policies and practices that align the vendor-completed specific standards for an independent validation with the specific standards included in AB 2013-07.&#160; <br></p><p style="text-align&#58;justify;"> ​ <strong>3(c).&#160;&#160;</strong><strong>How should model validation findings and other model risk issues be monitored and reported?</strong><br>A regulated entity should establish processes for monitoring the remediation status of identified model validation findings and other model risk issues and for providing reports to senior management and management-level committees.&#160;Findings and issues with production models that are significant in nature should be governed in accordance with the regulated entity's issues management program.&#160;&#160; <br> </p><p style="text-align&#58;justify;"> <strong>3(d).&#160;&#160;</strong><strong>What are acceptable practices for effective challenge? </strong> <br>Model risk management policies, as AB 2013-07 notes, should include acceptable practices for “effective challenge&quot; of models.&#160;Effective challenge involves critical analysis by independent, informed parties who can identify model limitations, evaluate assumptions, and recommend appropriate changes. The efficacy of effective challenge depends on a combination of incentives, competence, and influence.&#160;For example, effective challenge requires that the regulated entities invest human capital resources in qualified personnel and ensure the distinct separation of the model challenge process from the model development process.&#160;In addition, the regulated entity should foster a corporate culture where senior levels of management give those responsible for effective challenge processes explicit authority, support, and stature within the organization.&#160; </p><p></p><p style="text-align&#58;justify;"> ​ <strong>3(e).&#160;&#160;</strong><strong>Do challenger or benchmark models play a role in the effective challenge of models?</strong><br>The regulated entities should have a well-developed effective challenge process in place to assess the effectiveness of models and the reasonableness of key assumptions. This may include a champion-challenger framework in which challenger models give an alternative perspective to a primary, or champion model, and provide a point of comparison allowing for analysis of model results and sensitivity of the output.&#160;It is desirable that potential challenger models are well vetted, and employ alternative approaches to estimation, which may include theoretical or methodological differences from the primary model.&#160;Effective challenge should be in place at all levels of estimation where model or estimation risk is affected – this includes overall loss estimates, component level estimates, assumptions, and component level inputs.&#160;The regulated entities should document the effective challenge process as well as any changes that result from it and the rationale for their decisions. </p><p style="text-align&#58;justify;">Although benchmark models may never be considered to be replacements for the primary model, they provide a point of comparison for understanding how the primary model results differ from other widely-referenced available models used in industry.&#160;Benchmark models may also aid in understanding the primary model.&#160; &#160;<br> </p><p style="text-align&#58;justify;"> ​ <strong>3(f).&#160;&#160;</strong><strong>What should a regulated entity consider when deciding if an end-user computing tool (EUC) or calculator should be subject to the guidance set forth in AB 2013-07?</strong><br>The increase in the complexity and reliance on EUCs and calculators to carry out critical financial operations has also fostered the requirement for enhanced EUC/calculator risk mitigation. &#160;For example, a regulated entity should classify a significant or important EUC, calculator, or other data generating process as a model if the EUC, calculator, or process (1) feeds into or out of a model; (2) makes assumptions; and/or (3) incorporates thresholds or quantitative methodologies. Additionally, EUCs and calculators may be integrated into broader modeling processes. When applicable, a regulated entity should also treat integrated EUCs and calculators as models and subject the EUCs, calculators, or processes to model validations and governance in accordance with the frequency and rigor outlined in the regulated entity's model risk management policies and procedures.&#160;A regulated entity that includes EUCs and calculators as part of the broader modeling process is likely already subjecting those EUCs and calculators to the guidance set forth in AB 2013-07.</p><p> <strong>4.&#160;&#160;</strong><strong>Model Control Framework</strong></p><p style="text-align&#58;justify;"> <strong>4(a).&#160;&#160;</strong><strong>How is model performance tracking integral to the model control framework? </strong> <br>A regulated entity should have policies and procedures in place for ongoing model performance tracking (MPT) for each significant model use prior to model production implementation.&#160;Performance tracking preemptively ensures model integrity through the business cycle. Properly designed model performance tracking metrics, thresholds, and alerts provide the model diagnostics necessary to identify and measure sources of model error.&#160;Model diagnostics are intended to capture model performance degradation timely and facilitate the appropriate corrective action. </p><p style="text-align&#58;justify;">MPT metrics and thresholds should be tied to both downstream use effects and a model's integrity as measured by the accuracy of the key outputs.&#160;Model owners are expected to involve model users and model risk management teams to ensure MPT metrics are appropriate, and thresholds are set below the risk tolerance of the business unit. </p><p style="text-align&#58;justify;"> <strong>4(b).&#160;&#160;</strong><strong>What should a regulated entity consider when establishing thresholds for model performance tracking?</strong><br>Ongoing model performance tracking should include well-supported and documented thresholds and procedures for responding to outputs outside these thresholds.&#160;A regulated entity should select, fully document, and reevaluate, on an ongoing basis, thresholds for each significant model use.&#160;As models alone do not drive these business decisions and risk management, model performance thresholds and alerts should be set at a level below the point where model error approximates or equals management risk limits or risk appetite.</p><p style="text-align&#58;justify;"> <strong>4(c).&#160;&#160;</strong><strong>Should model performance tracking include an evaluation of model adjustments? </strong> <strong>&#160;</strong><br>Ongoing model performance tracking should also include monitoring and analysis of any model overrides, on-top adjustments, recalibration, and use of (or changes to) tuning parameters.&#160;This monitoring should include documented, ongoing analysis establishing that any adjustments are appropriate for the model uses to which they are applied.</p><p style="text-align&#58;justify;"> <strong>4(d).&#160;&#160;</strong><strong>How should a regulated entity use model performance tracking metrics and reports? </strong> <br>MPT results show the model's reasonableness, robustness, and range with respect to its historical performance.&#160; Backward-looking performance metrics provide a useful measure of error due to the model.&#160;In both normal and stressed economic environments, model performance reports can help identify a model's fundamental flaws or weaknesses.&#160;Model performance reports should include aggregate model errors that directly affect business decisions and risk management.&#160;Upstream models errors can propagate to downstream models which could amplify the errors.</p><p style="text-align&#58;justify;"> <strong>4(e).&#160; S</strong><strong>hould regulated entities document support for on-top adjustments that align model predictions to actual results? </strong> <br>Periodically, model outputs will require on-top adjustments to produce more accurate results.&#160;These adjustments can occur at the component level or be applied to the overall result depending on the need for the adjustment.&#160;The regulated entities should develop and document a clear and transparent process for determining (1) when on-top adjustments to models are needed; (2) how the adjustment will be applied; and (3) the length of time for having these adjustments in place before finding a permanent solution.<br> </p><p style="text-align&#58;justify;"> ​ <strong>4(f).&#160;&#160;</strong><strong>Is it sufficient to state that assumptions or on-top adjustments are conservative?</strong><br>Simply indicating that model assumptions or on-top adjustments are “conservative&quot; is a qualitative assessment and does not provide sufficient support for a quantitative assumption or adjustment. A&#160;regulated entity should provide documentation to support significant modeling assumptions or on-top adjustments whether they are “conservative&quot; or not.<br></p><p style="text-align&#58;justify;"> <strong>4(g).&#160;&#160;</strong><strong>What role does effective challenge play in establishing on-top adjustments? </strong> <br>When on-top adjustments are applied, the regulated entities should document the justification for the on-top adjustment, articulate the effect of the adjustment, and state for how long it will be applied.&#160;On-top adjustments should also be subjected to effective challenge.&#160;Model risk management should also track and review on-top adjustments to get a broad view that may reveal an enterprise-wide issue.​<br></p><p style="text-align&#58;justify;"> <strong>4(h).&#160;&#160;</strong><strong>How should a regulated entity manage the recurrent use of on-top adjustments? </strong> <br>The use of on-top adjustments should initiate a review process to determine the reason for the on-top adjustment. The recurrent use of on-top adjustments in model estimates can be an indicator of an insufficient model or process robustness and should trigger a review. This review should assess whether the causes leading to use of the on-top adjustment are temporary. If the on-top adjustment is deemed to be recurrent rather than temporary, then the model or forecast process may require updating. If updates are necessary, the regulated entities should have in place a feedback process that engages with the relevant committees, business units, or individuals in a manner that allows model owners to promptly execute any necessary updates to the models. With the continued use of on-top adjustments, a regulated entity's documentation of the need to maintain the adjustments during the next validation cycle is an important feature of any review process. Full documentation of the findings of the review process, and the rationale for any decision and outcome, is another important element concluding the review process.</p><p> <strong>4(i).&#160;&#160;</strong><strong>Is a regulated entity expected to incorporate model</strong><strong>ing</strong><strong> assumption</strong><strong>s</strong><strong> and inputs in the same manner </strong> <strong>across various</strong><strong> model uses? </strong> <br>The regulated entities' policies and procedures should ensure that models, assumptions, and inputs, such as housing price appreciation or macroeconomic factors, are used in a consistent manner across the various financial and business practices where applicable. However, model flexibility is desirable to address circumstances in which models and assumptions cannot be used consistently. For example, if accounting rules prescribe a specific use, then the regulated entity would need a process to address that use and to evaluate and assess the effect of the inconsistency. The regulated entity should document the occurrence, the reason for the differences, and if it has a material effect, determine what steps may be needed to mitigate the effect.&#160; <br></p><p style="text-align&#58;justify;"> ​ <strong>4(j).&#160;&#160;</strong><strong>What are model implementation risks and how can these be mitigated?</strong><br>Errors can occur at any point from design through implementation, thus model risk management should include disciplined and knowledgeable development, testing and implementation processes. Data and other model inputs used to generate model results often rely on EUCs, upstream&#160;models, or other supplemental data generating processes that can be subject to human error or operational errors. A regulated entity should regularly evaluate and confirm that data or other input generating processes align with the documented model theory and have not been subject to human error.&#160; </p><p> <strong>5.&#160;&#160;</strong><strong>Internal Scenario and Sensitivity Analysis and Stress Testing</strong></p><p style="text-align&#58;justify;"> <strong>5(a).&#160;&#160;</strong><strong>What are FHFA's model expectations for scenario analysis?</strong><br>A regulated entity should use scenario analyses to assess the reliability, effectiveness, and stability of forecasts the models produce in a variety of situations and to identify potential issues with the models that can lead to inaccurate results.&#160;Scenario analysis should be distinguished from stress testing as both can be applied enterprise-wide and will often employ the regulated entities' most significant models. Internal scenario analysis and stress testing should be conducted on a recurring basis but should also be conducted as needed.<br> </p><p style="text-align&#58;justify;"> ​ <strong>5(b).&#160;&#160;</strong><strong>What are FHFA's model expectations for sensitivity analyses?</strong><br>Sensitivity analysis can be conducted to assess the effect of many model-related factors (<em>e.g</em>., variables, model specification, key assumptions, constraints on intermediate outputs such as a loss severity floor). Because models are highly influenced by underlying assumptions in forecasted values, the regulated entity should assess how different assumptions and processes can affect the estimates. The regulated entity should use realistic expectations and an approach that makes intuitive sense when stressing key variables. Sensitivity analyses should be completed for each significant component model as well as the overall model or forecast. A regulated entity should vet thresholds or criteria they use for sensitivity analysis to ensure they are meaningful and realistic.</p><p style="text-align&#58;justify;"> <strong>5(c).&#160;&#160;</strong><strong>What are FHFA's model expectations for internal stress testing?</strong><br>Stress testing is a critical tool for a regulated entity's risk management because it alerts senior management to unexpected adverse outcomes for a range of potential risks. Stress testing also may enable the regulated entity to better understand its models' expected losses by exposing model behavior or risk factor behavior that may not be otherwise realized. This may lead to reconsideration of existing model formulations that improve performance or enhance the usefulness of the model.&#160;Stress test scenarios should be designed to capture risks relevant to model predictions for each model use. Stress test scenarios should be developed using reasonable, potential scenarios and incorporate historical events and hypothetical future events, or those not observed historically, (<em>e.g</em>., scenarios without government intervention). Stress test scenarios should also consider potential systematic issues that may adversely affect the model's forecasts.&#160; </p><p style="text-align&#58;justify;">A stress test is designed to simulate the effect of one or more shocks or prolonged downturns on the entire regulated entity. A “shock&quot; is a large, sudden, adverse change in the state of the external world or the internal state of a regulated entity. A shock appears suddenly, and its effects are felt immediately. A “prolonged downturn&quot; is a large, adverse change in the state of the world that emerges and becomes apparent slowly over time. Stress scenarios should be designed to ensure that, in the aggregate, the scenario is sufficiently stressful to challenge the risk management processes, capital, and earnings positions of the regulated entity. Scenario severity should consider countercyclical scenario design principles (<em>i.e</em>., a more pronounced economic downturn when current conditions are stronger and a less pronounced economic downturn when current conditions are weak).<br></p><p style="text-align&#58;justify;">Each scenario variable follows a predetermined path over time.&#160;For computational ease, a stress test can assume that the regulated entity has “exact foresight,&quot; a more deterministic approach where at each point in time within the planning horizon the regulated entity knows the exact path that a variable will follow. Alternatively, a stress test can assume that a regulated entity has only “incomplete foresight&quot; – that at each point in time the regulated entity can only imperfectly forecast a variable's future path. To ensure that stress tests are realistic regarding what can be known <em>ex ante</em> about the future, stress tests should include incomplete foresight when feasible. Incomplete foresight incorporates a more stochastic approach to scenario generation of variables where outcomes are random or uncertain. In addition, stress tests should provide a range of potential losses in addition to point estimates, and these results should be regularly reported to senior management so that they are aware of the output uncertainties associated with models.<br></p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"> <strong> </strong></span></p> ​ <h1> <span style="text-decoration&#58;underline;"> <em> <strong>RELATED GUIDANCE AND REGULATIONS​</strong></em></span></h1><p style="text-align&#58;left;padding-top&#58;8px !important;"> <em>​Model Risk Management Guidance</em>, FHFA AB 2013-07 (Nov. 20, 2013).</p><p style="text-align&#58;justify;"> <em>Operational Risk Management</em>, FHFA AB 2014-02 (Feb. 18, 2014). </p><p style="text-align&#58;justify;"> <em>FHLBanks Changes to Internal Market Risk Models</em>, FHFA AB 2016-02 (Apr. 21, 2016).</p><p style="text-align&#58;justify;"> <em>Data Management and Usage</em>, FHFA AB 2016-04 (Sept. 29, 2016).</p><p style="text-align&#58;justify;"> <em>Information Security Management</em>, FHFA AB 2017-02 (Sept. 28, 2017).</p><p style="text-align&#58;justify;"> <em>Scenario Determination for Market Risk Models Used for Risk-Based Capital</em>, FHFA AB 2018-01 (Feb. 7, 2018).</p><p style="text-align&#58;justify;"> <em>FHLBank Use of Models and Methodologies for Internal Assessments for Mortgage Asset Credit Risk</em>, FHFA AB 2018-02 (Apr. 26, 2018).</p><p style="text-align&#58;justify;"> <em>Cloud Computing Risk Management</em>, FHFA AB 2018-04 (Aug. 14, 2018).</p><p style="text-align&#58;justify;"> <em>Oversight of Third-Party Provider Relationships</em>, FHFA AB 2018-08 (Sept. 28, 2018).</p><p style="text-align&#58;justify;"> <em>Business Resiliency Management</em>, FHFA AB 2019-01 (May 7, 2019).</p><p style="text-align&#58;justify;">​ <em>Compliance Risk Management</em>, FHFA AB 2019-05 (Oct. 3, 2019).</p><p style="text-align&#58;justify;">​ <em>Enterprise Risk Management Program</em>, ​FHFA AB 2020-06 (Dec. 11, 2020).</p><p style="text-align&#58;justify;"> <em>Artificial Intelligence/Machine Learning Risk Management</em>, FHFA AB 2022-02 (Feb. 10, 2022).<br></p><p>12 CFR part 1236, Appendix, Prudential Management and Operations Standards<br></p><p style="text-align&#58;justify;">12 CFR part 1277, Federal Home Loan Bank Capital Requirements, Capital Stock and Capital Plans.<br></p><hr />​ <p> <a name="footnote1" class="super-script">[1]</a>​ Common Securitization Solutions, LLC (CSS) is an “affiliate&quot; of both Fannie Mae and Freddie Mac, as defined in</p><p>the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended.&#160; 12 U.S.C. 4502(1), and this AB applies to it.</p><p> <a name="footnote2" class="super-script">[2​]</a>​ The OF is not a “regulated entity&quot; as the term is defined in the Federal Housing Enterprises Financial</p><p>Safety and Soundness Act as amended.&#160; <em>See</em> 12 U.S.C. 4502(20).&#160; However, for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF.</p><p style="text-align&#58;justify;"> <a name="footnote3" class="super-script">[3]</a>​ <em>Cloud Computing Risk Management</em>, FHFA AB 2018-04 (Aug. 14, 2018).&#160; <em>Artificial Intelligence/Machine Learning Risk Management</em>, FHFA AB 2022-02 (Feb. 10, 2022).</p><p style="text-align&#58;justify;"> <a name="footnote4" class="super-script">[4]</a>​ 12 CFR part 1277—Federal Home Loan Bank Capital Requirements, Capital Stock and Capital Plans; <em>see </em>84 Fed. Reg. 5426 (Feb. 20, 2019) (amending FHFA's regulation on FHLBank capital requirements).</p><p style="text-align&#58;justify;"> <a name="footnote5" class="super-script">[5]</a>​ <em>FHLBank Changes to Internal Market Risk Models</em>, FHFA AB 2016-02 (Apr. 21, 2016); <em>Scenario Determination for Market Risk Models Used for Risk-Based Capital</em>, FHFA AB 2018-01 (Feb. 7, 2018); <em>FHLBank Use of Models and Methodologies for Internal Assessments for Mortgage Asset Credit Risk</em>, FHFA AB 2018-02 (Apr. 26, 2018).</p><p style="text-align&#58;justify;"> <a name="footnote6" class="super-script">[6]</a>​ The capital rule (12 CFR part 1277—Federal Home Loan Bank Capital Requirements, Capital Stock and Capital Plans) requires the FHLBanks to use models for credit risk (as opposed to their previous reliance on credit ratings). FHFA's Division of Bank Regulation (DBR) can direct an FHLBank to revise its credit risk methodology or model to address any deficiencies identified by FHFA.​<br></p><p style="text-align&#58;justify;">DBR's capital rule also requires that the FHLBanks seek approval for changes to their market risk models​.&#160;A Bank making a change to a market risk model should follow the process outlined in AB 2016-02.&#160;</p><p style="text-align&#58;justify;"> <a name="footnote7" class="super-script">[7​]</a>​ Other appropriate FHFA guidance includes, for example&#58; &#160;<em>Artificial Intelligence/Machine Learning Risk Management</em>, FHFA AB 2022-02 (Feb. 10, 2022); <em>Enterprise Risk Management Program</em><em>, </em>FHFA AB 2020-06 (Dec. 11, 2020); <em>Compliance Risk Management</em>, FHFA AB 2019-05 (Oct. 3, 2019); <em>Business Resiliency Management</em>, FHFA AB 2019-01 (May 7, 2019); <em>Oversight of Third-Party Provider Relationships</em>, FHFA AB 2018-08 (Sept. 28, 2018); <em>Information Security Management</em>, FHFA AB 2017-02 (Sept. 28, 2017); <em>Data Management and Usage</em>, FHFA AB 2016-04 (Sept. 29, 2016); <em>Operational Risk Management</em>, FHFA AB 2014-02 (Feb. 18, 2014). </p><p>​&#160;<br></p><p></p><div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-style&#58;normal;font-weight&#58;400;"><tbody><tr><td class="ms-rteTable-default" style="width&#58;776px;"><p>​FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. &#160;&#160;<br></p></td></tr></tbody></table> ​ ​​ <br></div> ​<br>​<br>1/17/2023 10:42:17 PMHome / Supervision & Regulation / Advisory Bulletins / Model Risk Management Guidance Advisory Bulletin AB 2022-03:  ​Supplemental Guidance to Advisory Bulletin 2013-07 11079https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Office of Minority and Women Inclusion Supervisory Letter on AI/ML - February 202236790Fannie Mae & Freddie Mac2/10/2022 5:00:00 AM<p>​​<em>This Supervisory Letter,&#160; issued in conjunction with <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Artificial-Intelligence-Machine-Learning-Risk-Management.aspx" style="font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">AB&#160;2022-02,&#160;</a><em>p</em>rovides additional guidance to Fannie Mae and Freddie Mac (Enterprises) and establishes the Agency's expectations for the consideration of diversity and inclusion in the Enterprises' use of Artificial Intelligence and Machine Learning.</em><span style="font-family&#58;lato, sans-serif;font-size&#58;24px;font-style&#58;normal;font-weight&#58;900;">​</span><span style="font-family&#58;lato, sans-serif;font-size&#58;24px;font-style&#58;normal;font-weight&#58;900;">​​</span></p>2/10/2022 4:14:55 PMHome / Supervision & Regulation / Advisory Bulletins / Office of Minority and Women Inclusion Supervisory Letter on AI/ML - February 2022 Advisory Bulletin 8769https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Artificial Intelligence/Machine Learning Risk Management38730Fannie Mae & Freddie Mac2/10/2022 5:00:00 AMAB 2022-02<table width="100%" class="ms-rteTable-default" cellspacing="0" style="margin&#58;0px;padding&#58;0px;line-height&#58;inherit;font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;vertical-align&#58;baseline;table-layout&#58;fixed;border-spacing&#58;0px;font-stretch&#58;inherit;background-color&#58;#ffffff;"><tbody style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><tr style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><td class="ms-rteTable-default" style="font&#58;inherit;margin&#58;0px;width&#58;776px;"><p style="line-height&#58;22px;padding&#58;0px;border&#58;0px currentcolor;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">​​​​​​​​​​​​​​​​​​​​​​​​​​​​ADVISORY BULLETIN</span></p><p style="line-height&#58;22px;padding&#58;0px;border&#58;0px currentcolor;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">AB 2022-03&#58;&#160; ​Supplemental Guidance to Advisory Bulletin 2013-07 - Model Risk Management Guidance​</span></p><p style="line-height&#58;22px;padding&#58;0px;border&#58;0px currentcolor;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;"><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/Advisory-Bulletin-2022-02.pdf">[view&#160;PDF of Advisory&#160;Bulletin 2022-02]</a></span><br></p></td></tr></tbody></table><h1> <span style="text-decoration-line&#58;underline;"><em><strong></strong></em></span></h1><p> <strong style="text-decoration&#58;underline;"><em>Purpose​</em></strong><br></p><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance to Fannie Mae and Freddie Mac (collectively, the Enterprises)<a href="#footnote1">[1​]</a>&#160;on managing risks associated with the use of artificial intelligence and machine learning (AI/ML). This AB is intended to highlight key risks inherent in the use of AI/ML that are applied across a variety of business and operational functions, and considerations for effectively managing these risks. FHFA recognizes that AI/ML is an evolving field and encourages the responsible innovation and use of AI/ML that is consistent with the safe and sound operations of the Enterprises.<br></p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>For purposes of this AB, artificial intelligence broadly refers to the development and application of computational tools and computer systems able to perform tasks normally requiring human intelligence, and machine learning is a sub-category of AI described as algorithms that optimize automatically through experience and with limited or no human intervention.<a href="#footnote2">[2]</a>​&#160;The combined term, AI/ML, encompasses the sub-categories of AI, such as computer vision and natural language processing, as well as the various methods used in ML, such as supervised learning, unsupervised learning, reinforcement learning, deep learning, and neural networks. AI/ML can be leveraged in models, applications, tools, and systems throughout its lifecycle. Generally, the AI/ML lifecycle includes stages addressing proof-of-concept, development, implementation and deployment, production use, and retirement.<br></p><p>​The use of AI/ML presents benefits and risks as it increases the opportunity for decisions to be made and relied upon with significantly less human involvement. With increases in computing power, AI/ML can be used by the Enterprises to process vast datasets, identify complex relationships, and improve efficiencies and operations with reduced error and cost. However, AI/ML applications can also expose the Enterprises to financial, compliance, reputational, model, and other risks. For example, AI/ML algorithms developed using incomplete or unrepresentative data with unclear relationships between model inputs and outputs could exacerbate existing risks and result in poor or costly business decisions. As AI/ML continues to advance, the associated risks will also evolve—posing challenges to existing risk management practices. For instance, as AI/ML becomes more automated and integrated into business processes within and across business lines, the interconnected nature of the risks can introduce more complexity in risk management. Reliance on AI/ML without sufficient risk oversight and transparency can create heightened risks for the Enterprises.​<br></p><p>FHFA's Prudential Management and Operations Standards (PMOS), Appendix to 12 CFR Part 1236, sets forth general responsibilities of the board and senior management, as well as specific responsibilities for management and operations relating to ten enumerated standards, adopted as guidelines. Standard 1 (Internal Controls and Information Systems) and Standard 8 (Overall Risk Management Processes) highlight the need for the Enterprises to establish risk management practices that identify, assess, control, monitor, and report risk exposures, and the need to have appropriate risk management policies, standards, procedures, controls, and reporting systems in place. These guidelines are especially relevant to the Enterprises' use and risk management of AI/ML.<br></p><p> <strong style="text-decoration&#58;underline;"><em>Guidance</em></strong><br></p><p>The Enterprise should incorporate the following guidance to manage the risks posed by the use of AI/ML, taking into consideration existing laws, regulations, and other FHFA supervision guidance. The sophistication of the AI/ML risk management activity should be proportionate to each Enterprise's size, complexity, and risk profile. The Enterprise should leverage enterprise- wide risk management and control frameworks, including those used for model, data, technology, information security, third-party, and compliance risk management, to the extent practicable. These frameworks, however, may need to be enhanced and adapted with the considerations highlighted in this guidance to address the heightened risks that AI/ML can pose to business operations. Given the evolving nature of AI/ML, risk management should be flexible to accommodate changes in the adoption, development, implementation, and use of AI/ML at the Enterprise. The degree and scope of risk management and controls addressing AI/ML should be risk-based and commensurate with the extent and complexity of AI/ML development and use at the Enterprise, as well as the level of risk exposure. For example, high-risk AI/ML use cases— such as those that affect the Enterprise's critical business functions, invoke compliance with laws​&#160;and regulations, or involve highly complex and opaque methods—warrant more robust risk management considerations than AI/ML uses that are low risk or transparent.<br></p><p> <strong>I.&#160; &#160; &#160;&#160;Governance​</strong><br></p><p>AI/ML tools and systems can support a range of functions across the Enterprise, such as customer engagement, risk analysis, credit decision-making, fraud detection, and information security. The use of AI/ML can also expose the Enterprise to heightened risks, including compliance, financial, operational, and model risks. Effective governance of AI/ML should address these varied, cross-sectional risks in the context of the complexity and sophistication of the AI/ML methods used and the extent and materiality of each AI/ML use case.<br></p><p>The Enterprise should develop an enterprise-wide strategy for responsible AI/ML adoption that identifies the goals, benefits, and risks of AI/ML and clearly documents the corresponding risk management approach and framework for ensuring the application of appropriate risk governance. This strategy should be consistent with a risk culture and applicable risk appetite that integrates AI/ML core ethical principles into business processes and operations.<a href="#footnote3">[3]</a>&#160;The existing enterprise-wide risk management framework and governance processes should be leveraged to the extent practicable and updated to incorporate AI/ML concepts and risk management considerations.<br></p><p>The Enterprise should consider the following as foundational components when establishing a safe and sound AI/ML governance structure&#58;</p><ul><li><p> <strong>​AI/ML Core Ethical Principles</strong> – A set of core ethical principles should guide the Enterprise's use of AI/ML and facilitate consistent governance across various business activities and functions, taking into consideration legal and compliance risks as well as how humans should interact with AI/ML systems. Personnel should be trained and aware of when and how these principles apply. These principles can include, but are not limited to, the following&#58;</p></li><ul><li><p> <span style="text-decoration&#58;underline;">​Transparency</span> – Provide adequate clarity regarding how and why AI/ML is used, in addition to sufficient understanding, interpretability,<a href="#footnote4">[4]</a>&#160;and explainability,<a href="#footnote5">[5​]</a>&#160;allowing for objective assessment and conceptual soundness validation.</p></li><li><p> <span style="text-decoration&#58;underline;">Accountability</span> – Assign appropriate human responsibility for AI/ML outcomes with adequate explanation and justification throughout each lifecycle stage in order to avoid and mitigate adverse outcomes.</p></li><li><p> <span style="text-decoration&#58;underline;">Fairness and Equity</span> – Implement processes that drive fair and equitable AI/ML outcomes across different groups. Fairness is evaluated in consideration of the conditions and objectives of the AI/ML activity, and when applicable, in light of social, economic, political, or cultural biases.</p></li><li><p> <span style="text-decoration&#58;underline;">Diversity and Inclusion</span> – Adequately address explicit and implicit biases in AI/ML systems that hinder diversity, inclusiveness, and representativeness across groups, in accordance with 12 CFR Part 1223, and addressing explicit and implicit biases in AI/ML systems.</p></li><li><p> <span style="text-decoration&#58;underline;">Reliability</span> – Design AI/ML capabilities to operate as intended throughout each lifecycle stage, taking into account purpose, values, accuracy, and safety.</p></li><li><p> <span style="text-decoration&#58;underline;">Privacy and Security</span> – Respect and protect privacy rights and data used for development and use of AI/ML throughout each lifecycle stage using industry best practices, as applicable.</p></li></ul><li><p>​<strong>AI/ML Definitions and Taxonomy</strong> – An enterprise-wide definition and taxonomy for AI/ML terms and capabilities fosters a common vocabulary and understanding across the enterprise in a field that is rapidly evolving. Examples of capabilities include, but are not limited to, techniques such as prediction, classification, natural language, vision, web scraping. Examples of AI/ML terms include, but are not limited to, techniques such as supervised learning, unsupervised learning, reinforcement learning, neural networks, and deep learning. A taxonomy with clear definitions of AI/ML terms and capabilities should facilitate the effective identification and management of AI/ML risks. This taxonomy should include what the Enterprise is and is not classifying as an AI/ML model.</p></li><li><p> <strong>AI/ML Inventory</strong> – A comprehensive inventory that captures the Enterprise's AI/ML use cases across business lines, can provide the Enterprise with a holistic view of how to best manage its AI/ML associated risks. The Enterprise should determine the degree to which it needs to identify and document AI/ML techniques in addition to use cases, understanding that AI/ML can be embedded in models, applications, systems, platforms, tools, and services—either developed in-house or procured from third-party vendors. The AI/ML inventory should be appropriate for the Enterprise's size, complexity, and risk profile, and include AI/ML use cases that range from proof-of-concept through production. To the extent practicable, the AI/ML inventory should be aligned with&#160;existing enterprise-wide inventory systems, such as those used for models, IT assets, and third parties.<br></p></li></ul><p> <em>​A.&#160; &#160; &#160;&#160;Roles and Responsibilities</em><br></p><p>Consistent with the Enterprise's overall enterprise risk management (ERM) program,<a href="#footnote6">[6]</a>&#160;the board of directors (board) is responsible for overseeing enterprise-wide risk management and fostering an effective risk culture. An enterprise-wide approach to managing AI/ML risks should be incorporated into the Enterprise's ERM program and managed within the Enterprise's risk appetite and applicable risk limits framework. Senior management is responsible for executing the AI/ML strategy and the specific risk management practices for AI/ML. Senior management should consider an interdisciplinary approach to AI/ML business decision-making, risk management, and risk oversight that includes sufficient representation from first-line business functions and second-line oversight functions when developing, implementing, and using AI/ML.<br></p><p>Effective AI/ML risk management includes the following considerations commensurate with the risk and complexity involved in the Enterprise's use of AI/ML&#58;<br></p><ul><li><p> Assigned AI/ML risk management roles that are clearly defined and include accountability;</p></li><li><p> Clear reporting lines and communication protocols for reporting relevant AI/ML metrics and escalating conflicts;</p></li><li><p> Appropriately allocated resources for AI/ML that are in line with business needs and consider the benefits and risks;</p></li><li><p> The sufficiency of technical expertise and appropriateness of resources for the complexity and scope of AI/ML techniques;</p></li><li><p> The ability of designated personnel to provide current and appropriate guidance on AI/ML adoption and use strategy;</p></li><li><p> The training of personnel across the three lines of defense on AI/ML applications, risks, and controls;</p></li><li><p> The regular updating of AI/ML related policies, standards, and procedures and the appropriate integration of these into business lines; and</p></li><li><p> The timely remediation of issues or concerns identified by FHFA or internal audit, or self-identified by the business.</p></li></ul><p> <em>B.&#160; &#160; &#160;Policies, Standards, and Procedures​​</em><br></p><p>​The Enterprise's risk policies, standards, and procedures should incorporate measures for identifying, assessing, controlling, monitoring, and reporting AI/ML risks. The Enterprise should develop and maintain processes that promote safe and sound practices throughout the AI/ML lifecycle, incorporating independent review and effective challenge of AI/ML by the second line. Policies, standards, and procedures should also clearly define roles and responsibilities, strategies, risk appetite, and documentation requirements. AI/ML core ethical principles, definitions, taxonomy, and inventory should also be incorporated into policies, standards, and procedures to ensure consistent application across the enterprise. To accommodate the rapidly changing nature of AI/ML, related policies, standards, and procedures may need to be updated on a more frequent basis than non-AI/ML related governing documents.<br></p><p> <strong>II.&#160; &#160; &#160;&#160;Risk Identification and Assessment​​​​​​​</strong><br></p><p>The Enterprise's decision of whether to develop, acquire, and use AI/ML should begin with effective and timely risk identification and risk assessment processes that capture the risks and benefits associated with AI/ML.<a href="#footnote7">[7​]</a>&#160;This should include analyzing and addressing past incidents and lessons learned from the Enterprise's use of AI/ML. Given the rapid technological advancement of AI/ML and the ability of AI/ML models to dynamically update over time, the identification and assessment of AI/ML risks may need to be done frequently, as needed. For example, a risk assessment conducted when an AI/ML tool was in a proof-of-concept stage can quickly become outdated if the scope of use expands in production. As risks can manifest across the Enterprise beyond a single use case, it is critical to know whether an AI/ML approach that was independently reviewed initially has significantly evolved over time.<br></p><p>Whether AI/ML is developed in house or procured from a third party, risk identification and assessment of AI/ML risks should be incorporated in a timely manner into existing risk management processes. This includes identifying when AI/ML meets the definition of a model<a href="#footnote8">[8​]</a>&#160;and determining the appropriate risk management processes that apply. This process should follow clear criteria and document the Enterprise's rationale to pursue a particular use case.​<br></p><p>Risk identification and assessment should incorporate cross-collaboration and review among stakeholders across divisions, business lines, and risk teams to comprehensively capture AI/ML risks. The Enterprise should have personnel with adequate AI/ML and data analytics subject matter expertise in key positions across all three lines of defense to accurately identify and assess AI/ML risks at appropriate junctures in the AI/ML lifecycle. For instance, AI/ML may be embedded into third-party software and hardware used in customer decisioning or interface that is not readily apparent but influences performance. In this example, stakeholders in technology, modeling, and third-party risk management should be involved in order to adequately identify and assess risks.&#160;</p><p>The financial, compliance, legal, reputational, and operational risks that are typically assessed for any business activity should be evaluated with respect to the use of AI/ML. Risks may become heightened given the complexity and speed of AI/ML innovation and use, which can manifest in unfamiliar ways, thus making AI/ML risks harder to identify in an effective and timely manner. Key risk considerations are discussed in more detail below.​<br></p><p> <em>A.&#160; &#160; &#160;Model Risks​​​​</em><br></p><p>For AI/ML, the following are heightened model risks&#58;<br></p><ul><li><p>Black Box Risk – There can be an inherent tradeoff between model complexity, accuracy, and transparency when using AI/ML models. Complex AI/ML models may not offer clear relationships between model inputs and outputs that are readily understandable by humans. A lack of interpretability, explainability, and transparency – or “black box risk&quot; – can translate into higher levels of uncertainty about the conceptual soundness and suitability of the AI/ML approach. Related to this is the risk of a lack of expertise among model developers in building and users in applying AI/ML models.</p></li><li><p>Overfitting – Model out-of-sample performance may be significantly worse than in- sample performance when a model learns from idiosyncratic patterns in the training data that is not representative of the population being modeled.<a href="#footnote9">[9]</a>&#160;While overfitting is a common risk with traditional models, the risk is heightened with the use of AI/ML models. Undetected overfitting could result in incorrect predictions or categorizations.</p></li><li><p>Model Drift – The risk of model performance degradation over time is also heightened with the use of AI/ML models. This can be driven by data drift—which occurs when there are changes in the population being modeled thereby affecting the representativeness of input data--or concept drift, which occurs when the relationships between model inputs and outputs change.</p></li><li><p>Model Calibration and Feedback – Dynamic model calibration, self-updating, and continuous feedback with the use of certain AI/ML models can present heightened model risks, as these models may create a feedback loop that is not well understood. The accuracy of the AI/ML model's results may degrade rapidly if compromised feedback is not detected in a timely manner. More opaque and complex AI/ML models can also present challenges in understanding why a particular approach experiences performance degradation due to a lack of transparency.<br></p></li><li><p>Bias<a href="#footnote10">[10​]</a>&#160;– Bias in AI/ML models contributes to poor predictability and can lead to discriminatory or unfair outcomes that benefit or harm some individuals, groups, or communities disproportionately. Bias can arise from the data used and can be amplified by the algorithm itself.</p></li><li><p>Model Misuse – Business users may lack an adequate level of understanding of the AI/ML model's output and limitations. Model misuse may also be driven by misalignment between the model methodology or algorithm and the business problem to be addressed and quantified by the model.</p></li><li><p>Vendor Models – The use of vendor AI/ML models may heighten existing vendor model risks because of increased model and data complexity and lack of transparency due to the proprietary nature of such models.​​<br></p></li></ul><ul></ul><p> <em>B.&#160; &#160; &#160;Data Risks​</em><br></p><p>The quality and appropriateness of data used in AI/ML is crucial in producing reliable decisions or predictions. Large and diverse datasets drive many AI/ML algorithms. Unrepresentative and unsuitable data reduces the accuracy and utility of AI/ML. The following data risks are heightened with the use of AI/ML&#58;<br></p><ul><li><p>Appropriateness and suitability of data for purpose (e.g., data source and selection of data).</p></li><li><p>Appropriateness and suitability of the dataset for a particular stage of use (e.g., data for training versus production, testing, and validation).</p></li><li><p>Accuracy and quality of data used in training and production.</p></li><li><p>Appropriateness of data sampling techniques used that could result in imbalanced datasets.</p></li><li><p>Bias in selection of data such as omission bias or stereotype bias, and bias in data processing.</p></li><li><p>Complex, high-dimensional data, and new, unfamiliar data sources, such as third-party data or unstructured data.</p></li><li><p>Time and cost associated with acquiring, curating, and preparing data.</p></li><li><p>Lack of data lineage preservation and the failure to identify root causes of errors or risks associated with the storage and movement of data that could affect data integrity.</p></li><li><p>Security of data from unintentional and intentional manipulation of data, such as data poisoning.</p></li></ul><p> <em>C.&#160; &#160; &#160;Other Operational Risks​​​</em><br></p><p>The use of AI/ML involves other operational risks, such as information technology, information security, third-party, and business resiliency risks. Depending on the scope and complexity of AI/ML use cases, the following are areas of potential risk&#58;​<br></p><ul><li><p>IT infrastructure – Legacy IT systems may not be able to support the storage, transfer, and processing of big datasets for AI/ML. Implementing AI/ML can also place a high demand on IT infrastructure and cloud-based services. Insufficient computing power and hardware can degrade network latency and performance standards per established key indicators. For example, AI/ML models that require reliable computing speed to handle model complexity and frequent recalibration needed for production readiness may be negatively impacted by ill-equipped IT systems.</p></li><li><p>Information security – Adopting AI/ML systems may pose risks to existing processes that can compromise the confidentiality, integrity, and availability of information. Open source software or application program interfaces (APIs) embedded into AI/ML technology may also present susceptibility to adversarial attacks.</p></li><li><p>Business continuity – Business functions supported by AI/ML can feed into downstream business processes or other AI/ML systems that can cause significant disruptions across the enterprise if AI/ML performance is degraded or compromised.</p></li><li><p>Use of AI/ML through third-party providers – Third-party provided products and services—ranging from those with embedded AI/ML to cloud providers hosting AI/ML platforms—present potential business resiliency and concentration risks if AI/ML services are limited to a few vendors.<a href="#footnote11">[11]</a><br></p></li></ul><p> <em>​D.&#160; &#160; &#160;Regulatory and Compliance Risks​​</em><br></p><p>The use of AI/ML presents regulatory and compliance risks, such as compliance with consumer protection, fair lending, privacy, and employment discrimination laws and regulations. For example, the use of AI/ML-based credit underwriting models in credit decision-making can present compliance risks due to a lack of explainability of the model, interpretability of the model output, and adequacy of controls in the decision-making process that may be mandated by consumer protection and fair lending laws and regulations. Additionally, personal data used in AI/ML may be subject to complex data governance and privacy laws with requirements such as anonymizing data, securing consent to use the data, and maintaining a record of how data is used, accessed, and stored.​<br></p><p> <strong>III.&#160; &#160; &#160;Control Framework​</strong><br></p><p>The degree and scope of risk management and controls addressing AI/ML should be commensurate with the extent and complexity of AI/ML development and use at the Enterprise and level of risk exposure. The Enterprise should consider the evolving nature of AI/ML when evaluating, adjusting, or adding mitigating controls. Appropriate stakeholders should determine whether controls are in line with applicable risk appetite metrics. Controls mitigating AI/ML risk should be embedded in policies, standards, and procedures, and in the roles and responsibilities of all stakeholders throughout the AI/ML lifecycle. Key control considerations are discussed in more detail below.<br></p><p> <em>A.&#160; &#160; &#160;Model Controls</em><br></p><p>While FHFA guidance for model risk management and model controls framework<a href="#footnote12">[12]</a>&#160;applies to AI/ML models, the Enterprise should also consider&#58;&#160;</p><ul><li><p> Whether model risk policies, standards, procedures, and practices sufficiently address AI/ML concepts such as—but not limited to—model interpretability, explainability, transparency, bias, fairness, dimensionality reduction, hyperparameter selection, feature engineering, and dynamic retraining and updating. Existing model risk management practices may need to be adapted to address non-traditional use cases, such as chatbots, cybersecurity, and human resources analytics.<br></p></li><li><p> Whether the Enterprise has staff across all lines of defense with appropriate knowledge, skills, and experience in AI/ML data science, analytics, and modeling. For example, model owners and users should have a sufficient understanding of the underlying AI/ML model assumptions and limitations.<br></p></li><li><p> Whether the Enterprise has an AI/ML model development process that guides initial determinations on data quality and suitability, model conceptual soundness, explainability, and appropriateness of use.<br></p></li><li><p> Whether the Enterprise has tools and techniques to determine drivers of AI/ML model decisions and to assist in model interpretability, bias detection, and performance testing.<br></p></li><li><p> Whether the frequency of AI/ML model performance tracking and ongoing monitoring is adequate to observe changes in model drift and degradation, dynamic updating, and the adequacy of corresponding model change management processes. For example, AI/ML models may update more frequently than traditional models, requiring recalibration and tuning as the algorithm learns from new data. To accommodate this more frequent update cycle, the AI/ML model should be dynamically monitored to detect changes in performance and impact on business usage.​<br></p></li></ul><ul><li><p> Whether the frequency and scope of model validation and effective challenge processes is adequate to sufficiently address AI/ML models and related concepts. For example, point- in-time independent model risk management and model validation approaches may need to be adapted as AI/ML models may not be static between reviews.<br></p></li><li><p> All AI/ML models are expected to go through model validation. This includes AI/ML models used by internal audit and other functions that may not traditionally use model output such as the information technology functions. In all cases, the second line model risk management function should perform the validation, or contract with a third party for the validation should additional expertise be necessary.<br></p></li><li><p> Model risk management processes for identification of material model changes may need to be enhanced, given the more frequent AI/ML model change management cycle.<br></p></li><li><p> Whether model documentation requirements and frequency of update are adequate to reflect current AI/ML model input and output relationships and model operation.<br></p></li><li><p> Whether consideration of ethical principles, such as fairness and bias, are adequately addressed throughout all lifecycle stages.<br></p></li><li><p> Whether an adequate independent assessment of third-party AI/ML models is performed to evaluate the conceptual soundness, security, and integrity of the AI/ML model's development and performance.<br></p></li></ul><p style="text-decoration&#58;underline;">Challenger Models<br></p><p>Challenger models are developed as an alternative to a champion or production model, allowing for testing of alternative theoretical or estimation methodologies. Challenger models may be developed internally or by external vendors, subject to the same principles as internally developed challenger models. The criteria for determining champion and challenger models should be clear and measurable, and provide adequate support for why one model is chosen to be the champion model along with analysis of model performance and related assumptions. The Enterprise should take a risk-based approach with regard to the intensity and frequency of a challenger model's validation and effective challenge and, to the extent AI/ML techniques are utilized, ensure heightened risk management considerations as described in this AB are considered.​</p><p> <em>B.&#160; &#160; &#160;​Data Controls​​</em><br></p><p>Data risk management strategies, governance, policies, procedures, and standards may need to be enhanced to address increased data risks associated with the use of AI/ML.<a href="#footnote13">[13]</a>&#160;The Enterprise should consider the following when evaluating the data risks associated with AI/ML&#58;<br></p><ul><li><p>The adequacy of data risk management roles and responsibilities such as data ownership and management. For example, there may need to be more frequent and robust data accountability roles and approval processes to address data quality, relevance, and compliance concerns.</p></li><li><p>The strength of practices and processes to mitigate the sources of data bias, such as data proxies and use of over- or under-represented data.</p></li><li><p>The efficacy of each stage of data management, including the acquisition and sourcing of data, data preparation and processing, data quality review, and data sampling to address data bias, appropriateness, quality, and preservation.</p></li><li><p>The adequacy of documentation requirements for each stage of data management, such as usage rights and data permissions.</p></li><li><p>The strength of data lineage practices with all types of data formats, such as unstructured data, that adequately captures the transformations and modifications to data.</p></li><li><p>The adequacy of enterprise-wide data architecture and systems to accommodate the storage, processing, and movement of vast, complex data sets and various data types used for AI/ML while ensuring business operations are not adversely affected.</p></li><li><p>The degree and frequency of monitoring data at each stage of use to identify risks such as data drift and data anomalies.</p></li><li><p>The adequacy of data testing measures and remediation to ensure data issues are resolved.</p></li><li><p>The sufficiency of data security measures from internal and external threats and compromises to data.​<br></p></li></ul><p> <em>C.&#160; &#160; &#160;Other Operational Controls​</em><br></p><p>To address other operational risks raised with the use of AI/ML, the Enterprise should consider the following risk mitigation solutions&#58;<br></p><ul><li><p>Scalable infrastructure to support data storage and computing power necessary to meet operational and business needs.<br></p></li><li><p>Business continuity plans and incident response plans that are adapted to AI/ML tools, systems, and applications, including third-party AI/ML products and services.<br></p></li><li><p>Contingency plans, including manual override functions, when automated AI/ML dependent processes become skewed.<br></p></li><li><p>Workarounds that address interconnectivities and dependencies of data.<br></p></li><li><p>Sufficient and consistent testing of in-house and third-party AI/ML tools, applications, and systems to assess integrity, security, and business resiliency.<br></p></li><li><p>Appropriate change management practices and procedures to accommodate evolving AI/ML techniques.<br></p></li><li><p>Security measures to monitor and protect cloud-based AI/ML models and data.<br></p></li><li><p>Open-source software controls.</p></li><li><p>Contractual requirements with third-party providers of AI/ML models and data that ensure transparency and accountability with use.​<br></p></li></ul><p> <em>D.&#160; &#160;&#160; Regulatory and Compliance Controls​​</em><br></p><p>The Enterprise may need to adapt its existing regulatory and compliance risk management practices and controls to accommodate AI/ML associated risks, including the following&#58;<br></p><ul><li><p>Revising policies, procedures, and standards to address AI/ML explainability, interpretability, and transparency, and compliance with applicable laws and regulations.</p></li><li><p>Designing a compliance risk management program,<a href="#footnote14">[14]</a>&#160;that includes analysis of relevant consumer protection, employment discrimination, privacy, and other laws and regulations as they apply to the use of personal and alternative data.</p></li><li><p>Involving qualified compliance personnel during AI/ML development and implementation to ensure data and methodologies comply with applicable laws and regulations.</p></li><li><p>Integrating fair lending reviews and testing, as appropriate, through all lifecycle stages.<br></p></li></ul><p> <strong>IV.&#160; &#160; &#160;&#160;Risk Monitoring, Reporting, and Communication​</strong></p><p>The Enterprise should establish appropriate key risk indicators (KRIs) and key performance indicators (KPIs) for monitoring and analyzing AI/ML risks and risk management practices in line with risk appetite. These KRIs and KPIs can indicate whether existing risk management practices are effective or need to be modified. AI/ML related risk and performance metrics should be reported and communicated to the appropriate stakeholders across the enterprise.<br></p><p>Reporting and communication protocols may need to be reviewed and adjusted more frequently to optimally capture and timely convey AI/ML associated risks as they evolve and change. The Enterprise should consider the following when monitoring, reporting, and communicating AI/ML risks within and across business lines&#58;<br></p><ul><li><p>The degree and frequency of monitoring needed to adequately capture the scope of AI/ML risks, including model, data, compliance, information security, and other operational risks.</p></li><li><p>The relevancy and effectiveness of KPIs and KRIs in measuring changes to the risk profile associated with AI/ML risks, and the frequency to which they need to be evaluated and reviewed for changes. Such metrics should also reveal the comparative business advantages or disadvantages of using AI/ML.<br></p></li><li><p>The benefits and risks associated with AI/ML powered monitoring applications and the appropriate level of human involvement and discretion needed for monitoring AI/ML risks.</p></li><li><p>The adequacy of reporting within and across business units, lines, and the enterprise, including board and senior management, to effectively communicate AI/ML risks.<br></p></li><li><p>The type of information regarding AI/ML performance and risks that needs to be conveyed to different stakeholders across the enterprise and escalated to senior management and the board. For example, first line data scientists and modelers may rely on granular AI/ML metrics while second line risk management may utilize broader, aggregated AI/ML data.​<br><br></p></li></ul><div><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance and Regulations</em></strong></p><p>12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Matters.<br></p><p>12 CFR Part 1236, Appendix, Prudential Management and Operations Standards. 12 CFR Part 1223, Minority and Women Inclusion.</p><p>Model Risk Management Guidance, Federal Housing Finance Agency Advisory Bulletin 2013- 07, November 20, 2013.<br></p><p>Operational Risk Management, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014.<br></p><p>Data Management and Usage, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.<br></p><p>Internal Audit Governance and Function, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.<br></p><p>Information Security Management, Federal Housing Finance Agency Advisory Bulletin 2017- 02, September 28, 2017.<br></p><p>Cloud Computing Risk Management, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.<br></p><p>Oversight of Third-Party Provider Relationships, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.<br></p><p>Business Resiliency Management, Federal Housing Finance Agency Advisory Bulletin 2019- 01, May 7, 2019.​</p><p>Compliance Risk Management, Federal Housing Finance Agency Advisory Bulletin 2019-05, October 3, 2019.<br></p><p>Enterprise Risk Management Program, Federal Housing Finance Agency Advisory Bulletin 2020-06, December 11, 2020.​<br></p><p>Enterprise Fair Lending and Fair Housing Compliance, Federal Housing Finance Agency Advisory Bulletin 2021-04, December 20, 2021.​<br></p> <span style="font-style&#58;normal;">_______________________________</span>​<br><br></div><div><p> <a name="footnote1">[1]</a> Common Securitization Solutions, LLC (CSS) is an “affiliate&quot; of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended. 12 USC 4502(1).</p><p> <a name="footnote2">[2]</a> There are no industry-wide definitions for AI/ML, but for purposes of this AB, definitions from the Financial Stability Board are used.&#160;See&#160;Financial Stability Board, Artificial Intelligence and Machine Learning in Financial Services&#160;(November 2017).<br></p><p> <a name="footnote3">[3]</a> &#160;See&#160;FHFA Advisory Bulletin 2020-06,&#160;Enterprise Risk Management Program&#160;(Dec. 11, 2020).</p><p> <a name="footnote4">[4]</a> Interpretability refers to the extent to which a human can understand the choices taken by a model in the algorithmic decision-making process.</p><p> <a name="footnote5">[5]</a> Explainability refers to how an AI/ML approach uses inputs to produce outputs (i.e., can the outcome be explained).​<br></p><p> <a name="footnote6">[6]</a> &#160;See&#160;FHFA Advisory Bulletin 2020-06,&#160;Enterprise Risk Management Program&#160;(Dec. 11, 2020).​<br></p><p> <a name="footnote7">[7]</a> Consistent with FHFA Advisory Bulletin 2020-06,&#160;Enterprise Risk Management Program&#160;(Dec. 11, 2020), and FHFA Advisory Bulletin 2014-02,&#160;Operational Risk Management&#160;(Feb. 18, 2014).</p><p> <a name="footnote8">[8]</a> &#160;See&#160;FHFA Advisory Bulletin 2013-07,&#160;Model Risk Management Guidance&#160;(Nov. 20, 2013).<br></p><p> <a name="footnote9">[9]</a> In-sample performance is model performance based on the training sample, while out-of-sample performance is model performance generated using data excluded from the training sample.​<br></p><p> <a name="footnote10">[10]</a> &#160;See, e.g.,&#160;National Institute of Standards and Technology (NIST) research on identifying and managing bias in artificial intelligence.​<br></p><p> <a name="footnote11">[11]</a> &#160;See&#160;FHFA Advisory Bulletin 2018-08,&#160;Oversight of Third-Party Provider Relationships&#160;(Sept. 28, 2018).<br></p><p> <a name="footnote12">[12]</a> &#160;See&#160;FHFA Advisory Bulletin 2013-07,&#160;Model Risk Management Guidance&#160;(Nov. 20, 2013).<br></p><p> <a name="footnote13">[13]</a> &#160;See&#160;FHFA Advisory Bulletin 2016-04,&#160;Data Management and Usage&#160;(Sept. 29, 2016).<br></p><p> <a name="footnote14">[14​]</a> &#160;See&#160;FHFA Advisory Bulletin 2019-05,&#160;Compliance Risk Management&#160;(Oct. 3, 2019).</p>​<br></div><h2> <br> <table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-style&#58;normal;font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;"><tbody><tr><td class="ms-rteTable-default" style="width&#58;776px;"><p>FHFA has statutory responsibility to ensure&#160; the safe and sound operations of the regulated entities and the Office of Finance.&#160;&#160;Advisory bulletins describe FHFA supervisory expectations for safe and sound operations&#160;in&#160;particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.&#160;Questions about this advisory bulletin should be directed to&#58; <a>SupervisionPolicy@fhfa.gov.<br></a></p> <a> </a></td></tr></tbody></table>​<br></h2>2/10/2023 5:52:43 PMHome / Supervision & Regulation / Advisory Bulletins / Artificial Intelligence/Machine Learning Risk Management Advisory Bulletin [view PDF of Advisory Bulletin 2022-02 9374https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Insider Trading Risk Management36768Fannie Mae & Freddie Mac2/8/2022 5:00:00 AMAB 2022-01 <table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-style&#58;normal;font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;"><tbody><tr><td class="ms-rteTable-default" style="width&#58;776px;"><p> <span style="font-size&#58;inherit;font-family&#58;inherit;font-weight&#58;700 !important;">​​​​​​ADVISORY BULLETIN</span></p><p> <span style="font-size&#58;inherit;font-family&#58;inherit;font-weight&#58;700 !important;">AB 2022-01&#58;&#160; Insider Trading Risk Management</span></p><p> <span style="font-size&#58;inherit;font-family&#58;inherit;font-weight&#58;700 !important;"> <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2022-01.pdf">[view&#160;PDF of Advisory&#160;Bulletin 2022-01]</a></span></p></td></tr></tbody></table><p style="font-style&#58;normal;font-family&#58;&quot;source sans pro&quot;, sans-serif;text-align&#58;justify;"> <span style="text-decoration-line&#58;underline;"> <span style="font-size&#58;inherit;font-family&#58;inherit;font-weight&#58;700 !important;"> <em></em></span></span></p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Purpose</em></strong></span></p><p>This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (collectively, the Enterprises)<a href="#footnote1">[1]</a>&#160;Federal Housing Finance Agency's (FHFA) supervisory guidance for managing insider trading risk and related conflicts of interest to support a safe and sound operating environment. Insider trading risk management is a key component of an Enterprise's compliance risk management program.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></span></p><p>Insider trading risk is the risk of legal or regulatory sanctions, damage to current or projected financial condition, damage to business resilience,<a href="#footnote2">[2]</a> or damage to reputation resulting from nonconformance with U.S. Securities and Exchange Commission (SEC) insider trading laws and disclosure requirements,<a href="#footnote3">[3]</a> rules, prescribed practices, internal policies and procedures, and ethical and related conflict-of-interest standards (insider trading obligations). </p><p>The phrase “insider trading&quot; may refer to legal and illegal conduct. Insider trading is legal when an investor trades a security<a href="#footnote4">[4]</a> but does not have material nonpublic information (MNPI) or when the trade is made pursuant to a Rule 10b5-1 passive investment plan.<a href="#footnote5">[5]</a> </p><p>Illegal insider trading occurs when a person or entity in possession of MNPI, obtained through their employment or other involvement with a company, purchases, sells or otherwise trades their own company's securities or non-company securities based on MNPI, or when a person or entity improperly discloses MNPI to a third party<a href="#footnote6">[6]</a> (collectively, illegal insider trading activity). </p><p>Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act),<a href="#footnote7">[7]</a> other securities laws,<a href="#footnote8">[8]</a> and common law obligations broadly prohibit fraudulent activities of any kind in connection with the offer, purchase, or sale of securities.<a href="#footnote9">[9]</a> SEC regulations<a href="#footnote10">[10]</a> do not define the terms &quot;material&quot; and &quot;nonpublic&quot; but rely on definitions established in case law. Material information can be positive or negative and can relate to virtually any aspect of the Enterprise's business or to a type of security. Information is material if &quot;there is a substantial likelihood that a reasonable shareholder would consider it important&quot; in making an investment decision<a href="#footnote11">[11]</a> or if there is a substantial likelihood that it would be viewed “by the reasonable investor as having significantly altered the 'total mix' of information made available.&quot;<a href="#footnote12">[12]</a> Information is nonpublic if it has not been made generally available to investors.<a href="#footnote13">[13]</a></p><p>Insider trading risks include exposure to private civil actions or civil, criminal, and administrative actions by regulators, law enforcement, or other government agencies, such as&#58;</p><ul><li>The SEC's enforcement of Sections 10(b), 16, and 20(a) of the Exchange Act<a href="#footnote14">[14​]</a>&#160;and Rule 10b-5;​<a href="#footnote15">[15]</a></li><li>The U.S. Department of Justice's (DOJ) criminal prosecution of individuals and corporations related to insider trading and securities fraud under Section 807 of the Sarbanes-Oxley Act of 2002;<a href="#footnote16"><sup>[16]</sup></a></li><li>FHFA's enforcement of fraud reporting requirements related to insider trading activity pursuant to the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended by the Housing and Economic Recovery Act of 2008 (Safety and Soundness Act);<a href="#footnote17"><sup>[17]</sup></a></li><li>FHFA's enforcement of applicable laws, regulations, orders, or adverse examination findings and communications;<a href="#footnote18">[18]</a></li><li>Enforcement of applicable state laws and regulations addressing insider trading activities that violate corporate fiduciary duties of care and loyalty;<a href="#footnote19"><sup>[19]</sup></a> and </li><li>Recourse for misappropriation of MNPI.</li></ul><p> <span style="color&#58;#444444;">​</span><span style="color&#58;#444444;">Additionally, effective management of insider trading risk requires compliance with the following FHFA regulations&#58;</span></p><ul><li> <span style="color&#58;#444444;">12 CFR 1239.10 (Code of Conduct and Ethics);</span></li><li>12 CFR 1239.11 (Risk Management); and</li><li>12 CFR 1239.12 (Compliance Program).</li></ul><p>Effective insider trading risk management also requires consideration of the guiding principles of sound risk management set forth in the Appendix to 12 CFR Part 1236, Prudential Management and Operations Standards (PMOS). With respect to various risk-management areas, the PMOS articulate guidelines on general responsibilities of the Enterprises' boards and senior management; establishment of policies, standards, and procedures; adequate resources, systems, and controls; and an adequate internal audit function.<a href="#footnote20">[20]</a></p><p style="text-decoration&#58;underline;"> <strong style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;color&#58;#404040;"> <em>Guidance</em></strong></p><p style="text-align&#58;left;">The Enterprise is expected to establish and maintain an effective compliance program based on enterprise-wide risk assessment processes<a href="#footnote21">[21]</a> to manage insider trading activities and the inherent risks of those processes. Through its risk assessments, the Enterprise identifies business areas and roles presenting heightened insider trading risk and identifies effective controls to minimize that risk. To mitigate insider trading risk, the Enterprise should examine the nature of its business and its prior history of insider trading risk events, determine what types of illegal insider trading activities pose the greatest risk, and adopt effective controls to detect and prevent such misconduct.<a href="#footnote22">[22]</a> By implementing a well-designed, adequately resourced, and effective compliance program, an Enterprise can make it less likely that covered parties<a href="#footnote23">[23]</a> will engage in illegal insider trading activity.<a href="#footnote24">[24]</a> </p><p> <strong>I.</strong><strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </strong> <strong>Corporate Governance </strong></p><p> <em>A.</em><em>&#160; </em> <em>&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Roles and Responsibilities</em></p><p>The Enterprise's board of directors (board) plays a pivotal role in the effective governance of insider trading risk.<a href="#footnote25">[25]</a> The Enterprise is responsible for establishing and maintaining a written code of conduct and ethics that is reasonably designed to assure that its directors, officers, and employees discharge their duties and responsibilities in an objective and impartial manner that promotes honest and ethical conduct, compliance with applicable laws, rules, and regulations, accountability for adherence to the code, and prompt internal reporting of violations of the code to appropriate persons identified in the code (Code of Conduct).<a href="#footnote26">[26]</a> The Code of Conduct is an invaluable resource helping employees locate relevant governing documents, services, and other resources related to insider trading, ethics, and compliance generally. The Enterprise may also benefit from adopting a separate Code of Conduct for members of the Board of Directors (Director Code). An appropriate Director Code reflects that Directors have higher exposure to insider trading risk given their access to MNPI. </p><p>The Code of Conduct and the Director Code should encourage high ethical standards, promote a culture of compliance with insider trading obligations,<a href="#footnote27">[27]</a> and discourage unethical behavior or circumvention of compliance obligations.<a href="#footnote28">[28]</a> Promoting a culture of compliance with insider trading obligations includes documenting and communicating clear expectations about compliance with insider trading laws; clearly communicating related conflict of interest and business ethics standards and expectations; articulating the principle that employees and management conduct all activities in accordance with both the letter and the spirit of insider trading obligations; and creating an environment where employees are encouraged to raise legal, compliance, and ethics questions and concerns without fear of retaliation.<a href="#footnote29">[29]</a> </p><p> <em>B.</em><em>&#160; </em> <em>&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Insider Trading Governing Documents </em></p><p>Committee charters, delegations of authority, policies, standards, and procedures that address insider trading obligations (insider trading governing documents) are excellent communication tools.<a href="#footnote30">[30]</a> The insider trading governing documents should assign clear and consistent roles and responsibilities for managing insider trading risk and for reviewing and resolving related conflicts of interest. An Enterprise's insider trading governing documents should include change management procedures for effectively monitoring and operationalizing new or modified insider trading obligations and for communicating these changes across the three lines of defense. </p><p> <em>C.</em><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Illegal Insider Trading Prohibitions </em></p><p style="text-align&#58;left;">An Enterprise's insider trading governing documents should address statutory and regulatory prohibitions against illegal insider trading activities.<a href="#footnote31">[31]</a> An Enterprise's insider trading governing documents should make clear that an Enterprise's exposure to insider trading risk is increased when an Enterprise fails to supervise staff in possession of MNPI, fails to establish adequate policies and procedures for handling MNPI,<a href="#footnote32">[32]</a> and fails to report instances of insider trading to the appropriate regulators.<a href="#footnote33">[33]</a></p><p> <em>D.</em><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Conflicts of Interest </em></p><p style="text-align&#58;left;">Misuse of MNPI for personal benefit in securities transactions is a conflict of interest related to insider trading.<a href="#footnote34">[34]</a> An Enterprise's insider trading governing documents should establish procedures for reviewing and resolving potential material conflicts of interest related to insider trading; responding to requests for waivers or exceptions to trading prohibitions and addressing any other insider trading obligations or restrictions set forth in the insider trading governing documents. Each Enterprise should maintain written records of all identified material conflicts of interest related to insider trading. </p><p> <strong>II.</strong><strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160; </strong> <strong>Risk Identification and Assessment</strong></p><p>The insider trading governing documents should operationalize insider trading risk-management obligations into the Enterprise's day-to-day business processes, job duties, and responsibilities. The Enterprise's insider trading governing documents should&#58; identify potential MNPI; determine which transactions, disclosures, and personnel are covered by the insider trading obligations; evaluate the quality of risk management; assess residual insider trading risk; and promote independent reviews, escalation, and tracking of identified issues. The insider trading governing documents should also include methods of measuring insider trading risk (<em>e.g</em>., by using key risk indicators) and use such measurements to enhance compliance risk assessments.<a href="#footnote35">[35]</a> </p><p> <em>A. </em> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Identifying MNPI</em></p><p>Management, with appropriate board oversight, should establish effective information management systems<a href="#footnote36">[36]</a> to protect MNPI and other sensitive information. Data security management policies, standards, and procedures should contain specific security requirements established for categories of sensitive data.<a href="#footnote37">[37]</a> </p><p> <em>B.</em><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Identifying Covered Transactions</em></p><p>Effective insider trading governing documents highlight the broad scope of insider trading obligations and make clear that these obligations apply to the purchase and sale of all securities and not just common stock. Prohibitions against illegal trading apply to the purchase and sale of an Enterprise's stock, hedging Enterprise securities, purchase and sales of Enterprise securities pledged in a margin account or as collateral for a loan, trading debt securities issued by the Enterprise and any other securities issued by the Enterprise. The prohibitions also apply to securities of non-Enterprise companies, including securities of third parties, if a covered party (defined below) learns information in the course of his or her duties that may affect the value of those other non-Enterprise securities. Effective insider trading governing documents and risk assessment procedures may include a list of examples of transactions subject to the insider trading obligations (covered transactions) as well as lists of institutions and securities that are covered or restricted. An Enterprise's insider trading governing documents should also address permissible trading windows, pre-clearance of acceptable transactions, and blackout periods, as applicable, when the Enterprise prohibits trading and the extent to which various covered parties are subject to such terms. </p><p> <em>C.</em><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Covered Parties</em></p><p>FHFA expects an Enterprise to make clear that insider trading obligations apply to the Enterprise, its employees, officers, directors, select contingent workers, other third parties with access to MNPI, and individuals receiving “tips&quot; of MNPI, if the person receiving the tip is a family member or has a meaningfully close personal relationship with the party improperly disclosing the MNPI (covered parties). The Enterprise should establish standards and procedures for determining which third parties, counterparties, vendors, business partners, consultants, or advisers are considered covered parties. Such selection standards should include consideration of the relationship with the third party and the extent to which the third party has access to MNPI.<a href="#footnote38">[38]</a> Not all elements of the Enterprise's insider trading compliance program are anticipated to apply equally to all covered parties. The insider trading governing documents should also describe procedures for adding and removing covered parties from monitoring requirements based on changes in job responsibilities or access to MNPI.<a href="#footnote39">[39]</a> </p><p> <em>D.</em><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Evaluating Quality of Risk Management and Assessing Residual Risk</em></p><p>An Enterprise's risk assessment processes should include risk-control self-assessments, key risk indicators, and key performance indicators.<a href="#footnote40">[40]</a> An Enterprise's assessment of insider trading risk should include processes that evaluate the likelihood of noncompliance with insider trading obligations. The risk assessment and insider trading governing documents should also include processes for evaluating the effectiveness of controls in place to manage insider trading risk and to protect and prevent improper disclosure of MNPI,<a href="#footnote41">[41]</a> and include processes for reviewing whether regulatory, legal, or other related compliance risk categories' residual risk levels align with risk appetite.<a href="#footnote42">[42]</a></p><p> <strong>III.</strong><strong>&#160;&#160;&#160;&#160;&#160;&#160; </strong> <strong>Controls</strong></p><p>In addition to establishing an effective governance framework, comprehensive insider trading governing documents, and an effective risk identification and assessment system, an Enterprise's robust internal controls should also include identifying, managing, and reporting on insider trading-related controls.<a href="#footnote43">[43]</a></p><p> <em>A.</em><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Managing and Protecting MNPI</em></p><p>The insider trading governing documents and associated controls should be designed to ensure that MNPI is properly protected.<a href="#footnote44">[44]</a> Covered parties should understand that they are responsible for treating confidential information that may be MNPI in accordance with the expectations in the Enterprise's insider trading governing documents. Covered parties are prohibited from disclosing MNPI to others (including other people within the Enterprise, family members, friends, or employees of a director's member institution, etc.) unless the person has a need to know the information for legitimate Enterprise-related reasons.</p><p>The development of information barriers is important to securing MNPI.<a href="#footnote45">[45]</a> These barriers may include organizational, technological, and physical workspace separation of people with access to MNPI from people who do not need access.<a href="#footnote46">[46]</a> Information barriers may also include processes such as watch lists, restricted lists, accompanying reviews of employee and proprietary trading, written procedures, and documentation of reviews.<a href="#footnote47">[47]</a> </p><p> <em>B. </em> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Acknowledgments and Nondisclosure Agreements</em></p><p>The Enterprise should establish procedures to determine the need for covered parties to execute annual acknowledgements and nondisclosure agreements based upon the materiality of the relationship with the covered party and the extent to which that party has access to MNPI.</p><p> <em>C.</em><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Post-Employment Controls</em></p><p>The Enterprise should implement controls designed to ensure that all MNPI in the possession of a covered party will be returned to the Enterprise or destroyed at the termination of his or her relationship with the Enterprise. Covered parties should understand that if their employment or contract period with the Enterprise terminates at a time when they possess MNPI, they continue to be responsible for protecting that information and continue to be prohibited from disclosing or trading on that information until the information is disclosed to the public or until the information is no longer material. It is the covered party's obligation to determine whether these conditions are met.</p><p> <em>D.</em><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Training</em></p><p style="text-align&#58;left;">Enterprise employees should be held accountable and be aware of their insider risk management roles and responsibilities.<a href="#footnote48">[48]</a> An Enterprise should require all employees, board members, and third-party providers with access to MNPI to annually review or be trained on the relevant provisions of the insider trading governing documents and complete annual training covering key insider trading topics including conflicts of interest. </p><p> <strong>IV.</strong><strong>&#160;&#160;&#160;&#160;&#160;&#160; </strong> <strong>Internal Surveillance and Monitoring</strong></p><p>Insider trading risk should be monitored regularly to identify changes or trends in exposures over time.<a href="#footnote49">[49]</a> The insider trading governing documents should include procedures for&#58; </p><p>Determining whether a covered party's trading and MNPI protection activities will be monitored, and if so how; </p><p>Automating processes for monitoring and scanning covered parties' brokerage accounts;</p><p>Ensuring that annual certifications and employment contracts address post-employment, post-contract trading and disclosures and prohibit improper disclosures and improper trading until MNPI is disclosed to the public or until the information is no longer material;</p><p>Evaluating whether a covered party's access to MNPI warrants oversight related to personal trade activity or other MNPI related restrictions;</p><p>Identifying and assessing business processes with heightened risk for illegal insider activity; </p><p>Investigating, tracking, and reporting possible illegal insider activity; </p><p>Detecting illegal insider activity if and when it occurs; </p><p>Evaluating and responding to illegal insider activity; and </p><p>Monitoring and independently testing business lines to determine overall adequacy and effectiveness of insider trading risk management.</p><p> <strong style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">V.</strong><strong style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">&#160;&#160;&#160;&#160;&#160;&#160;&#160; </strong> <strong style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">Disclosures and Reporting</strong></p><p> <em>A.</em><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>Internal Reporting </em></p><p>An effective compliance program should generate periodic internal disclosures, notifications, and reporting information on insider trading risk in a form that comports with the insider trading governing documents. The compliance officer's reports to the chief executive officer<a href="#footnote50">[50]</a> and to the board<a href="#footnote51">[51]</a> must address the adequacy of the Enterprise's compliance policies and procedures, including those related to insider trading.<a href="#footnote52">[52]</a> The substance of such reporting should be relevant, accurate, complete, timely, consistent, and comprehensive, and should enable the execution of sound and informed risk management decisions.<a href="#footnote53">[53]</a> Such reports should contain sufficient information to ensure effective oversight, escalation and timely resolution of insider trading noncompliance and control deficiencies.<a href="#footnote54">[54]</a> These internal reports should be designed to ensure that the board and relevant committees are properly informed of the Enterprise's insider risk management activities<a href="#footnote55">[55]</a> and the outcomes of such activities, including significant instances of noncompliance with insider trading obligations.<a href="#footnote56">[56]</a></p> <br> <em>B.</em><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em> <em>External Reporting </em> <br> <p>The Enterprise's insider trading governing documents should address the Enterprise's obligation<a href="#footnote57">[57]</a> to submit timely reports to FHFA, Financial Crimes Enforcement Network, SEC, and other applicable regulators when the Enterprise discovers or suspects possible insider trading, or other fraud related to the purchase or sale of any loan or financial instrument.<a href="#footnote58">[58]</a> </p><p></p><p>Enterprise policies, standards and procedures should incorporate the reporting obligations and limitations set forth in Section 16 of the Exchange Act.<a href="#footnote59">[59]</a> Section 16 establishes regulatory filing responsibilities of specified reporting insiders, such as Section 16 officers<a href="#footnote60">[60]</a> and members of the board of directors.<a href="#footnote61">[61]</a> </p><p>​Insider trading governing documents should also comply with applicable laws and regulations pertaining to the full and fair disclosure of information to the public.<a href="#footnote62">​[62]</a></p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Related Guidance and Regulations</em></strong></span></p><p>12 CFR Part 1236, Appendix, Prudential Management and Operations Standards.</p><p>12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance.</p><p> <em>Enterprise Risk Management Program</em>, Federal Housing Finance Agency Advisory Bulletin 2020-06, December 11, 2020.</p><p> <em>Financial Reporting and Disclosure and External Audit</em>, Federal Housing Finance Agency Advisory Bulletin 2020-04, August 20, 2020.</p><p> <em>Compliance Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2019-05, October 3, 2019.</p><p> <em>Enterprise Fraud Reporting</em>, Federal Housing Finance Agency Advisory Bulletin 2019-04, September 18, 2019.</p><p> <em>Business</em><em> Resiliency Management</em>, Federal Housing Finance Agency Advisory Bulletin 2019-01, May 7, 2019.</p><p> <em>Oversight of Third-Party Provider Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.</p><p> <em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.</p><p> <em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016–05, October 7, 2016.</p><p> <em>Data Management and Usage</em>, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.</p><p> <em>Fraud Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2015-07, September 29, 2015.</p><p> <em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014.</p><p> <em>FHFA Enforcement Policy,</em> Federal Housing Finance Agency Advisory Bulletin 2013-03, May 31, 2013.<br></p><p>_______________________________<br></p><p>​ <a name="footnote1">[1]</a> Common Securitization Solutions, LLC is an “affiliate&quot; of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended. 12 U.S.C. § 4502(1), and this AB applies to it.</p><p> <a name="footnote2">[2]</a><em>See</em> FHFA Advisory Bulletin 2019-01, <em>Business Resiliency Management</em> (May 7, 2019).</p><p> <a name="footnote3">[3]</a><em>See</em><em> </em>17 CFR 243.100–243.103 (Regulation FD), 17 CFR 240.10b5–1 (Rule 10b5-1), and 17 CFR 240.10b5–2 (Rule 10b5-2).</p><p> <a name="footnote4">[4]</a><em>See</em> 15 U.S.C. § 78c(a)(10) for definition of “security.&quot;</p><p> <a name="footnote5">[5]</a> Rule 10b5-1 plans are passive investment plans through which companies and corporate insiders relinquish direct control over transactions.</p><p> <a name="footnote6">[6]</a><em>See </em>discussion in Section II.C. below.</p><p> <a name="footnote7">[7]</a> 15 U.S.C. § 78a <em>et seq</em>.</p><p> <a name="footnote8">[8]</a> Sections 10(b), 16 and 21A(b)(1) of the Exchange Act. <em>See generally</em> U.S. Securities and Exchange Commission&#58; <em>The Laws that Govern the Securities Industry</em>. Retrieved from www.investor.gov/introduction-investing/investing-basics/role-sec/laws-govern-securities-industry. </p><p> <a name="footnote9">[9]</a> SEC&#58; <em>Rules and Regulations for the Securities and Exchange Commission and Major Securities Laws</em>. Retrieved from www.sec.gov/about/laws/secrulesregs.htm.</p><p> <a name="footnote10">[10]</a><em>See</em> SEC's Final Rule&#58; <em>Selective Disclosure and Insider Trading</em>, 65 FR 51715, 51721 (August 24, 2000) (hereinafter Final Fair Disclosure Rule). <em>See also</em> 17 CFR 243.100–243.103 (Regulation FD), 17 CFR 240.10b5–1 (Rule 10b5-1), and 17 CFR 240.10b5–2 (Rule 10b5-2).</p><p> <a name="footnote11">[11]</a> Final Fair Disclosure Rule, footnote 38.</p><p> <a name="footnote12">[12]</a><em> Id</em>., footnote 39.</p><p> <a name="footnote13">[13]</a><em> Id.</em>, footnote 40.</p><p> <a name="footnote14">[14]</a> 15 U.S.C. § 78u (identifying civil penalties for insider trading). </p><p> <a name="footnote15">[15]</a><em>See</em> 17 CFR 240.10b-5.</p><p> <a name="footnote16">[16]</a> 18 U.S.C § 1348 (Jan. 14, 2019). </p><p> <a name="footnote17">[17]</a> 12 U.S.C. § 4642. <em>See also</em> 12 CFR 1233.3(a); FHFA Advisory Bulletin 2019-04&#58; <em>Enterprise Fraud Reporting</em> (Sept. 18, 2019); and FHFA Advisory Bulletin 2015-07&#58; <em>Fraud Risk Management </em>(Sept. 29, 2015).</p><p> <a name="footnote18">[18]</a><em>See</em> FHFA Advisory Bulletin 2013-03, <em>FHFA Enforcement Policy</em> (May 31, 2013). <em>See also</em> FHFA Advisory Bulletin 2017–01, <em>Classifications of Adverse Examination Findings</em> (Mar. 13, 2017).</p><p> <a name="footnote19">[19]</a> For Fannie Mae, <em>see</em> Del. Code Ann. § 141(a) (2011). For Freddie Mac, <em>see </em>Va. Code Ann. § 13.1-690(A) (2012).</p><p> <a name="footnote20">​[20]</a> For the internal audit function, see also FHFA Advisory Bulletin 2016–05, <em>Internal Audit Governance and Function</em> (Oct. 7, 2016).</p><p> <a name="footnote21">[21]</a> PMOS, Standard 1, Principle 8. </p><p> <a name="footnote22">[22]</a><em>See</em> FHFA Advisory Bulletin 2019-05, <em>Compliance Risk Management</em> (Oct. 3, 2019) (AB 2019-05). <em>See also</em> U.S. Department of Justice, Criminal Division, <em>Evaluation of Corporate Compliance Programs</em> (June 1, 2020), <a href="https&#58;//www.justice.gov/criminal-fraud/page/file/937501/download">https&#58;//www.justice.gov/criminal-fraud/page/file/937501/download</a> (DOJ Guidance on Compliance Programs). </p><p> <a name="footnote23">​[23]</a><em>See discussion</em> in Section II.C. below.</p><p> <a name="footnote24">[24]</a> 12 CFR 1239.11(a). <em>See also</em> AB 2019-05.</p><p> <a name="footnote25">[25]</a> The Enterprise is required to establish and maintain a comprehensive risk management program in accordance with all applicable laws and regulations. <em>See</em> Corporate Governance Rule, 12 CFR Part 1239. <em>See also </em>FHFA Advisory Bulletin 2020-06, <em>Enterprise Risk Management Program </em>(Dec. 11, 2020) (AB 2020-06), AB 2019-05, and PMOS, <em>Responsibilities of the Board of Directors and Senior Management</em>&#58; Principles 1, 4 – 7 and Standard 8, Principles 1 and 3.</p><p> <a name="footnote26">[26]</a> 12 CFR 1239.10. </p><p> <a name="footnote27">[27]</a> PMOS, <em>Responsibilities of the Board of Directors and Senior Management&#58; </em>Principle 9. <em>See also</em> PMOS, Standard 1, Principles 3, 4, and 16.</p><p> <a name="footnote28">[28]</a><em>See</em> Section 1, AB 2019-05, and AB 2020-06.</p><p> <a name="footnote29">[29]</a><em>See</em> AB 2019-05. Additionally, the Sarbanes-Oxley Act protects corporate whistleblowers for providing information about insider trading, securities fraud, shareholder fraud, bank fraud, a violation of any SEC rule or regulation, mail fraud, or wire fraud. <em>See</em><a href="https&#58;//www.sec.gov/whistleblower/retaliation">https&#58;//www.sec.gov/whistleblower/retaliation</a>.</p><p> <a name="footnote30">[30]</a><em>See</em> PMOS, Standard 1, Principles 2 and 16. <em>See</em> AB 2019-05, page 5.</p><p> <a name="footnote31">[31]</a><em>See</em> 12 CFR 1239.3(a) and 12 CFR 1239.11(a)(3)(ii).</p><p> <a name="footnote32">[32]</a><em>See</em> DOJ Guidance on Compliance Programs. The document is designed to assist “prosecutors in making informed decisions as to whether, and to what extent, the corporation's compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).&quot;</p><p> <a name="footnote33">[33]</a><em>See</em> Sections 20(a) and 21A(b)(1) of the Exchange Act. <em>See also</em><em>Graham v. SEC</em>, 222 F.3d 994, 1000 (D.C. Cir. 2000) (reviewing the elements of aiding and abetting liability).</p><p> <a name="footnote34">[34]</a> This AB addresses conflicts of interest arising from misuse of MNPI for personal benefit in securities transactions. This AB does not address supervisory expectations related to managing risks associated with other types of conflicts of interest, such as outside activities, political activities, and business courtesies.</p><p> <a name="footnote35">[35]</a><em>See</em> AB 2019-05, Section 2, page 5.</p><p> <a name="footnote36">[36]</a><em>See</em> FHFA Advisory Bulletin 2016-04, <em>Data Management and Usage</em> (Sept. 29, 2016) (AB 2016-04), page 1.</p><p> <a name="footnote37">[37]</a><em>See</em> AB 2016-04, page 4. <em>See also</em> FHFA Advisory Bulletin 2017-02, <em>Information Security Management</em> (Sept. 28, 2017) (AB 2017-02), page 10.</p><p> <a name="footnote38">[38]</a><em>See</em> FHFA Advisory Bulletin 2018-08, <em>Oversight of Third-Party Provider Relationships</em> (Sept. 28, 2018).</p><p> <a name="footnote39">[39]</a><em>See</em> 15 U.S.C. § 78u-1(a)(1)(B).</p><p> <a name="footnote40">[40]</a><em>See</em> FHFA Advisory Bulletin 2014-02, <em>Operational Risk Management</em> (Feb. 18, 2014) (ORM AB), page 3.</p><p> <a name="footnote41">[41]</a> PMOS, Standard 1, Principles 4 and 5. <em>See also</em> ORM AB, page 3.</p><p> <a name="footnote42">[42]</a> AB 2020-06, Sections I.A, B, and C.</p><p> <a name="footnote43">[43]</a> PMOS, Standard 1, Principle 10.</p><p> <a name="footnote44">[44]</a><em>See</em> AB 2017-02. </p><p> <a name="footnote45">[45]</a> SEC defines “information barriers&quot; as written policies and procedures reasonably designed to prevent misuse of MNPI in violation of the securities laws. <em>See discussion</em> in Section III.A. below. <em>See generally</em> SEC, Staff of the Office of Compliance Inspections and Examinations, <em>Staff Summary Report on Examinations of Information Barriers</em> (Sept. 27, 2012) (Information Barrier Summary Report), located at <a href="https&#58;//www.sec.gov/about/offices/ocie/informationbarriers.pdf">https&#58;//www.sec.gov/about/offices/ocie/informationbarriers.pdf</a>.</p><p> <a name="footnote46">[46]</a> AB 2017-02.</p><p> <a name="footnote47">[47]</a> Information Barrier Summary Report, page 7.</p><p> <a name="footnote48">[48]</a><em>See</em> 12 CFR 1239.11(a)(3) and PMOS, Standard 8.</p><p> <a name="footnote49">[49]</a> AB 2020-06, Section III.</p><p> <a name="footnote50">[50]</a> 12 CFR 1239.12.</p><p> <a name="footnote51">[51]</a> Ibid.</p><p> <a name="footnote52">[52]</a> Ibid. <em>See also</em> AB 2019-05.</p><p> <a name="footnote53">[53]</a><em>S</em><em>ee</em> 12 CFR 1239.11(c)(3)(ii) and AB 2016-04. </p><p> <a name="footnote54">[54]</a> ORM AB, page 5. <em>See also</em> AB 2016-04.</p><p> <a name="footnote55">[55]</a><em>See</em> AB 2020-06 (“Systems and processes supporting risk and control reporting should align under a common data architecture to facilitate and support the Enterprise's risk aggregation and enterprise-wide reporting.&quot;)</p><p> <a name="footnote56">[56]</a> 12 CFR 1239.11(b), 12 CFR 1239.11(c)(3)(iv), and 1239.12.</p><p> <a name="footnote57">[57]</a> 12 U.S.C. § 4642.</p><p> <a name="footnote58">[58]</a><em>See</em> 12 CFR 1233.3(a) and the guidelines in FHFA Advisory Bulletin 2019-04&#58; <em>Enterprise Fraud Reporting</em> (Sept. 18, 2019). <em>See also</em> FHFA Advisory Bulletin 2020-04, <em>Financial Reporting and Disclosure and External Audit</em> (Aug. 20, 2020).</p><p> <a name="footnote59">[59]</a> Section 16 of the Securities and Exchange Act of 1934, specifies mandatory disclosure requirements for “[e]very person who is directly or indirectly the beneficial owner of more than 10 percent of any class of any equity security (other than an exempted security) which is registered pursuant to 12, or who is a director or an officer of the issuer of such security.&quot; Exchange Act. <em>See also</em> 17 CFR 240.16a-2 (Persons and transactions subject to Section 16 of the Exchange Act).</p><p> <a name="footnote60">[60]</a> Section 16 officers refers to officers of the Enterprise as defined by Rule 16a-1(f) under the Exchange Act.</p><p> <a name="footnote61">[61]</a><em>See</em> SEC&#58; Investor Bulletin <em>Insider Transactions and Forms 3, 4, and 5. </em>Retrieved at www.sec.gov/files/forms-3-4-5.pdf. </p><p> <a name="footnote62">[62]</a><em>See</em> Final Fair Disclosure Rule.​<br></p><div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-style&#58;normal;font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;"><tbody><tr><td class="ms-rteTable-default" style="width&#58;776px;"><p>FHFA has statutory responsibility to ensure&#160; the safe and sound operations of the regulated entities and the Office of Finance.&#160;&#160;Advisory bulletins describe FHFA supervisory expectations for safe and sound operations&#160;in&#160;particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.&#160;Questions about this advisory bulletin should be directed to&#58; <a>SupervisionPolicy@fhfa.gov.<br></a></p> <a> </a></td></tr></tbody></table> <span style="color&#58;#444444;font-style&#58;normal;">​</span><br></div>2/8/2022 3:01:00 PMHome / Supervision & Regulation / Advisory Bulletins / Insider Trading Risk Management Advisory Bulletin AB 2022-01:  Insider Trading Risk Management 11474https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Enterprise Fair Lending and Fair Housing Compliance36635Fannie Mae & Freddie Mac12/20/2021 5:00:00 AMAB 2021-04<table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;inherit;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;border-spacing&#58;0px;table-layout&#58;fixed;background-color&#58;#ffffff;"><tbody style="border&#58;0px;font&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"><tr style="border&#58;0px;font&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"><td class="ms-rteTable-default" style="font&#58;inherit;margin&#58;0px;width&#58;776px;"><p style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;line-height&#58;22px;vertical-align&#58;baseline;padding&#58;0px;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;">​​​​​ADVISORY BULLETIN</span></p><p style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;line-height&#58;22px;vertical-align&#58;baseline;padding&#58;0px;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;">AB 2021-04&#58;&#160; Enterprise Fair Landing and Fair Housing Compliance</span></p><p style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;line-height&#58;22px;vertical-align&#58;baseline;padding&#58;0px;color&#58;#404040 !important;"><span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB%202021-04%20Enterprise%20Fair%20Lending%20and%20Fair%20Housing%20Compliance.pdf">[view&#160;PDF of Advisory&#160;Bulletin 2021-04]</a></span></p></td></tr></tbody></table><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;text-align&#58;justify;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;line-height&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;text-decoration-line&#58;underline;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"></em></span></span></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;text-decoration-line&#58;underline;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;">Purpose</span></em><br></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;">​<span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;calibri, sans-serif;">FHFA’s Enterprise fair lendi​ng examination program is conducted by the Office of Fair Lending Oversight (“OFLO”) within the Division of Housing Mission and Goals. </span><span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;calibri, sans-serif;">The purpose of this advisory bulletin is to provide FHFA’s supervisory expectations and guidance to Fannie Mae and Freddie Mac (the Enterprises) on fair lending compliance. FHFA considers ensuring Enterprise compliance with fair lending laws part of FHFA’s obligation to affirmatively further the purposes of the Fair Housing Act in its program of regulatory and supervisory oversight over the Enterprises and its responsibility to ensure the Enterprises comply with all applicable laws</span>.<a href="#footnote1">[1]</a><span style="font-style&#58;normal;">&#160;</span><br></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;text-decoration-line&#58;underline;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;">Background</em></span></p><p>The federal fair lending laws that apply to the Enterprises include&#58;</p><ul><li>Fair Housing Act – 42 U.S.C. 3601 et seq.</li><ul><li>Discriminatory Conduct Under the Fair Housing Act – 24 CFR part 100</li></ul><li>Equal Credit Opportunity Act (ECOA) – 15 U.S.C. 1691 et seq.</li><ul><li>Equal Credit Opportunity Act (Regulation B) – 12 CFR part 1002</li></ul><li>Safety and Soundness Act fair housing provision – 12 U.S.C. 4545</li><ul><li>HUD's Regulation of Fannie Mae and Freddie Mac – 24 CFR part 81, subpart C<br>&#160;</li></ul></ul><p>FHFA's fair lending policy statement generally articulates its policy on fair lending and how it uses its authorities to ensure compliance with fair lending laws.<a href="#footnote2">[2]</a> The Enterprises are subject to several associated fair lending requirements such as requirements to obtain and maintain data relevant to ensuring compliance with fair lending laws, report certain information to FHFA pursuant to FHFA's reporting order on fair lending,<a href="#footnote3">[3]</a> include certain information related to fair lending in their annual housing reports, and comply with fair lending requirements associated with other FHFA processes and requirements. The Enterprises are also subject to Department of Housing and Urban Development (“HUD&quot;) oversight related to fair housing. FHFA and HUD have signed a&#160;memorandum of understanding regarding cooperation and coordination with respect to fair housing and fair lending.<a href="#footnote4" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">[4​]</a> In certain circumstances, FHFA provides notification to HUD and DOJ of information that suggests a violation of the Fair Housing Act or that indicates a possible pattern or practice of discrimination in violation of the Fair Housing Act.<a href="#footnote5" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">[5]</a> The Enterprises play a unique and important role in the mortgage market, and their operations and policies can promote fair lending compliance and further the purposes of fair lending laws and the public interest in the primary mortgage market.</p><p> <em style="text-decoration-line&#58;underline;">Guidance</em><br></p><p>Each Enterprise must fully comply with all applicable fair lending laws in its operations. FHFA expects each Enterprise to maintain a fair lending program that effectively identifies, assesses, monitors, and mitigates fair lending risk and prevents the occurrence of fair lending violations in Enterprise operations. Each Enterprise must fully comply with associated fair lending requirements. FHFA encourages each Enterprise to affirmatively further the purposes of the Fair Housing Act, including promoting fair lending compliance among their business counterparties while furthering their public purposes in the mortgage market and within their own activities relating to housing and urban development.<br></p><h3>​I.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Compliance with Fair Lending Laws</h3><p>The following section provides general guidance with respect to Enterprise compliance with fair lending laws. It is not intended to provide authoritative or definitive statements of fair lending law and is intended to give practical guidance for fair lending compliance with respect to Enterprise operations based on a combined application of all fair lending laws noted in the Background section. The examples provided are general in nature. When determining whether a fair lending violation has occurred, close scrutiny of the facts and law are warranted in all cases. However, even situations where conduct is close to the line of illegality with respect to fair lending raise questions about appropriate risk management and effectiveness of or support for the fair lending program. The fact that an aspect of fair lending law is not covered explicitly in this advisory bulletin should not be construed to mean that FHFA will not enforce that aspect as part of fair lending supervision.<br></p><h4>A.&#160;&#160;&#160;&#160;&#160; Prohibited Bases</h4><p>Prohibited bases<a href="#footnote6">[6]</a> protected from discrimination under the Federal fair lending laws noted above are&#58;</p><ul><li>Race</li><li>Color</li><li>Religion</li><li>National Origin</li><li>Sex, Sexual Orientation, and Gender Identity<a href="#footnote7">[7]</a></li><li>Marital Status</li><li>Age</li><li>Receipt of income derived from any public assistance program</li><li>Exercise, in good faith, of any right under the Consumer Credit Protection Act<a href="#footnote8">[8]</a></li><li>Familial status</li><li>Disability<a href="#footnote9">​[9]</a></li><li>Consideration of the age of a dwelling or age of the neighborhood in a manner that has an unjustified discriminatory effect</li><li>Consideration of the location of a dwelling or the census tract where the dwelling is located in a manner that has an unjustified discriminatory effect<br></li></ul><div> <br> </div><div>An<span style="color&#58;#444444;">&#160;Enterprise may not discriminate on a prohibited basis because of the characteristics of&#58;</span></div><div> <span style="font-style&#58;normal;color&#58;#444444;"> <br></span></div><div><ul><li> <span style="font-style&#58;normal;color&#58;#444444;">An applicant, prospective applicant, or</span><span style="font-style&#58;normal;color&#58;#444444;">&#160;</span><span style="font-style&#58;normal;color&#58;#444444;">borrower</span></li><li> <span style="font-style&#58;normal;color&#58;#444444;"></span> <span style="color&#58;#444444;">A</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">person</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">associated</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">with</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">an</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">applicant,</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">prospective</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">applicant,</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">or</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">borrower</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">(for example, a co-applicant, spouse, business partner, or live-in</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">aide)</span></li><li> <span style="color&#58;#444444;">The present or prospective occupants of the subject property, or</span></li><li> <span style="color&#58;#444444;">The characteristics</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">of</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">the</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">neighborhood</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">or</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">other</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">area</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">where</span><span style="color&#58;#444444;"> the subject </span><span style="color&#58;#444444;">property</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">is located</span><a href="#footnote10">[​10]</a><br></li></ul><div> <br> </div><h4>B.&#160;&#160;&#160;&#160;&#160; Covered Enterprise Activities</h4><p> <span style="font-family&#58;lato, sans-serif;font-weight&#58;900;"></span>Enterprise activities covered by fair lending laws include but are not limited to&#58;</p><ul><li> <span style="font-style&#58;normal;color&#58;#444444;">Purchasing residential&#160;estate loans (includi</span><span style="font-style&#58;normal;color&#58;#444444;">ng setting terms and conditions for purchase);<a href="#footnote11">[11]​</a></span></li> <a href="#footnote11"></a> <li> <a href="#footnote11"> <span style="color&#58;#444444;">Providing loans or financial assistance for residential real estate;</span></a><a href="#footnote12">​[12]</a></li><li>Participating&#160;in credit decisions<a href="#footnote13">[13]</a>​<br></li><li> <span style="color&#58;#444444;">Selling dwellings (such as through REO disposition);</span><a href="#footnote14">​[14]</a><br></li><li> <span style="color&#58;#444444;">Advertising, communications, and statements (including among employees);</span><a href="#footnote15">​[15]</a></li><li> <span style="color&#58;#444444;">Setting standards for appraisals and relying on appraisals in purchasing real estate loans;</span><a href="#footnote16">​[16]</a></li><li> <span style="color&#58;#444444;">Making decisions related to loss mitigation in servicing of real estate loans (including establishing standards for such decisions);</span><a href="#footnote17">​[17]</a></li><li> <span style="color&#58;#444444;">Pooling, packaging, and securitizing residential real estate loans and marketing and selling such securities;</span><a href="#footnote18">​[18]</a></li><li> <span style="color&#58;#444444;">Multifamily purchasing and lending, setting standards for such purchasing and lending, servicing multifamily loans, and pooling or securitization related to multifamily dwellings;</span><a href="#footnote19">​[19]</a></li><li> <span style="color&#58;#444444;">Making housing unavailable;</span><a href="#footnote20">​[20]</a><span style="color&#58;#444444;"> and</span></li><li> <span style="color&#58;#444444;">Models related to these activities</span></li></ul><p> <span style="font-style&#58;normal;color&#58;#444444;"></span></p><p> <span style="color&#58;#444444;"></span></p><p> <span style="color&#58;#444444;">Methods of proving discrimination under these fair lending laws include&#58;</span><br></p><p></p><ul><li> <span style="color&#58;#444444;">Overt or direct evidence of disparate treatment;</span></li><li> <span style="color&#58;#444444;">Comparative or indirect evidence of disparate treatment (including code word or redlining evidence); and</span></li><li> <span style="color&#58;#444444;">Evidence of disparate impact where the Enterprise did not demonstrate a legitimate business justification</span></li></ul> <span style="color&#58;#444444;"></span> <p></p><p> <span style="color&#58;#444444;"></span></p><p> <span style="color&#58;#444444;">Additional types of prohibited discrimination that are relevant in Enterprise fair lending compliance include&#58;</span><br></p><p></p><ul><li> <span style="color&#58;#444444;">Discriminatory statements, steering, and discouragement;</span></li><li> <span style="color&#58;#444444;">Use of discriminatory appraisals;</span><a href="#footnote21">​[21]</a><span style="color&#58;#444444;"> and</span></li><li> <span style="color&#58;#444444;">Discriminatory interference or retaliation</span></li></ul> <span style="color&#58;#444444;"></span> <p></p><p> <span style="color&#58;#444444;"></span></p><p> <span style="color&#58;#444444;"></span></p><h4>C.&#160;&#160;&#160;&#160;&#160; Direct and Vicarious Liability</h4><p>The Fair Housing Act imposes liability for violations through both direct and vicarious liability, including the conduct of employees and agents and third parties in certain circumstances.<a href="#footnote22">[22]</a></p><p>An Enterprise is directly responsible for a fair housing violation resulting from its own conduct, and vicariously responsible for a fair housing violation that results from the conduct of its agents and employees, regardless of whether the Enterprise knew or should have known of the conduct of its agents and employees, consistent with agency law.<a href="#footnote23">[23]</a></p><p> <span style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-style&#58;normal;color&#58;#444444;">An Enterprise is also responsible for failing to take prompt action to correct and end a fair housing violation in certain circumstances, including&#58;</span></p><p></p><ul><li> <span style="color&#58;#444444;">Such a violation by the Enterprise's employee or agent where the Enterprise knew or should have known of the discriminatory conduct; and</span></li><li> <span style="color&#58;#444444;">Such a violation by a third-party, where the Enterprise knew or should have known of the discriminatory conduct and had the power to correct it, depending on the extent of the Enterprise's control or other legal responsibility an Enterprise may have with respect to the third party's conduct.</span><a href="#footnote24">[24]</a><br><br></li></ul><div><h4>D.&#160;&#160;&#160;&#160;&#160; Disparate Treatment</h4><p>Disparate treatment occurs when an Enterprise treats a borrower or property differently based on one of the prohibited bases. It does not require any showing that the treatment was motivated by prejudice or a conscious intention to discriminate beyond the difference in treatment itself. Disparate treatment may more likely occur in the treatment of borrowers or properties that are neither clearly well-qualified nor clearly unqualified or where discretionary processes are present.</p><p>The existence of illegal disparate treatment may be established either by statements revealing that an Enterprise explicitly considered prohibited factors (overt evidence) or by differences in treatment that are not fully explained by legitimate nondiscriminatory factors (comparative evidence). Disparate treatment can also be shown through appropriate statistical analysis.<br></p><h5>1.&#160;&#160;&#160;&#160;&#160;&#160; Overt or Direct Evidence of Disparate Treatment</h5><p>There is overt evidence of discrimination when oral or written statements indicate an Enterprise discriminates on a prohibited basis without need for inference or comparative evidence. <a href="#footnote26">[25]</a></p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>Example&#58; </em>Suppose an Enterprise asset manager for REO properties decides not to repair or upgrade a property in the capital city of a tribal nation before putting it on the market and justifies the decision because it is near “Indian nation public housing&quot; and “buyers may have a problem with that.&quot; The decision would be a violation because it was made because of the&#160;race of nearby residents of the neighborhood.<a href="#footnote26">[26]</a><br></p></div></div></blockquote><div><div><h5>2.&#160;&#160;&#160;&#160;&#160;&#160; Comparative or Indirect Evidence of Disparate Treatment </h5><p>If an Enterprise has apparently treated similarly situated borrowers or properties differently on the basis of a prohibited factor, it must provide a legitimate non-discriminatory explanation for the difference in treatment. If the Enterprise's explanation is found to be not credible or not applied consistently to similarly situated borrowers or properties, FHFA may find that the entity discriminated.<a href="#footnote27">[27]</a></p> <br> </div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>Example&#58;</em> Suppose an Enterprise asset manager for REO properties repairs or upgrades an REO property in a white neighborhood when “only cosmetic&quot; repairs are needed but does not repair an REO property with similar characteristics in a minority neighborhood when “only cosmetic&quot; repairs or upgrades are needed. Suppose also that there is no clear policy on how to handle cosmetic repairs, leaving it to the asset manager's discretion. The decision would be a violation because it treated similarly situated properties in minority and white neighborhoods differently without a credible legitimate non-discriminatory explanation or consistent application.</p></div></div><div><div><p> <em>Example&#58; </em>Suppose an Enterprise determines it will stop doing business with a minority multifamily sponsor due to property maintenance concerns. A white multifamily sponsor presents similar property maintenance concerns, but instead, receives a warning. The Enterprise is unable to provide evidence explaining the difference in treatment between the two sponsors. The decision would be a violation because it treated two similarly situated sponsors of different race/ethnic backgrounds differently without a credible legitimate non-discriminatory explanation or consistent application.</p></div></div></blockquote><div><div><h5>3.&#160;&#160;&#160;&#160;&#160; Redlining<br></h5><p>Redlining is a form of illegal disparate treatment in which an Enterprise treats borrowers or properties differently because of the race, color, national origin, or other prohibited characteristic(s) of the residents of the area without any legitimate business reason. It is often shown by overt evidence, comparative evidence of differences in treatment, and can be supported by maps showing differences in outcomes for borrowers or properties in neighborhoods with different racial characteristics.<a href="#footnote28">[28]</a></p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>​Example&#58;</em> Suppose an Enterprise provides discretion to multifamily underwriters to accept or reject purchases of multifamily loans. For the past two years, this Enterprise accepted nearly four times as many applications for properties located in white neighborhoods compared with properties located in Black neighborhoods. Maps of Metropolitan Statistical Areas (“MSAs&quot;) depicting accepted and rejected purchases showed avoidance of majority-Black neighborhoods, and where there were accepted loans in majority-Black neighborhoods, they were almost exclusively along the edges of those neighborhoods in close proximity to white neighborhoods. This policy would present fair lending risk and could be a violation because the Enterprise's discretionary policies resulted in redlining.</p></div></div></blockquote><div><h5>4.&#160;&#160;&#160;&#160;&#160;&#160; Code Word Evidence of Disparate Treatment<br></h5><p>Use of certain code words can be evidence of disparate treatment. Whether a code word is evidence of disparate treatment depends on the context, inflection (if spoken), tone of voice (if spoken), custom, and historical usage.<a href="#footnote29">[29]</a> Examples of potential code words include describing minority neighborhoods as “crime-ridden,&quot; “inner city&quot; neighborhoods, or lacking “pride of ownership.&quot;<a href="#footnote30">[30]</a> Code word evidence should be carefully evaluated in its full context before drawing conclusions.</p><h4>E.&#160;&#160;&#160;&#160;&#160; Disparate Impact<br></h4><p>When a neutral policy or practice disproportionately excludes or burdens certain persons or neighborhoods on a prohibited basis, the policy or practice is described as having a &quot;disparate impact.&quot;<br></p><p>The fact that a policy or practice creates a disparity on a prohibited basis is not alone proof of a violation. When a disparate impact is identified, the next step is to determine whether the policy or practice is necessary to achieve one or more substantial, legitimate, nondiscriminatory objectives. Factors that may be relevant to the justification could include cost, profitability, or compliance with legal requirements, among others. Even if a policy or practice that has a disparate impact on a prohibited basis can be justified by a legitimate nondiscriminatory objective, the policy or practice still may be found to be in violation of the Fair Housing Act if an alternative policy or practice could serve the legitimate nondiscriminatory interests by another practice with less discriminatory effect. Evidence of discriminatory intent is not necessary to establish a violation based on disparate impact. Appropriate statistical analysis is usually necessary to evaluate whether a policy creates a disparity and may also be relevant in assessing justification and potential less discriminatory alternatives.<a href="#footnote31">[31]</a> </p><p>A fair lending self-evaluation of a policy or practice, assessing its impact and considering whether potential less discriminatory alternatives would serve the Enterprise's legitimate nondiscriminatory objective, could be part of an effective compliance risk management process, and provide helpful support for concluding that the policy or practice is not a disparate impact violation, especially when evidence indicates that the least discriminatory alternative was adopted.<br></p></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>Example&#58;</em> Suppose an Enterprise has a special Guide requirement in place for properties in Puerto Rico. This policy has been in place without review for a substantial period of time to determine its effectiveness or need in preventing significant costs or losses. The Enterprise does not subject any other state or territory to this requirement with similar or greater risk. This policy disproportionately affects Latino borrowers as the predominant residents of Puerto Rico. The policy would be a violation because it has a significant disparate impact but lacks clear justification.</p></div></div><div><div><p> <em>Example&#58;</em> Suppose an Enterprise's automated underwriting model includes a factor that leads to significantly lower disproportionate acceptance rates for Black borrowers. The factor improves the model's ability to predict risk, but only marginally so. The model is still a sound, predictive model that meets the Enterprise's business needs without the factor Including the factor would be a violation because it has a significant disparate impact but the model without the factor would be a less discriminatory alternative.<a href="#footnote32">[32]</a></p></div></div><div><div><p> <em>​Example&#58;</em> Suppose an Enterprise's business policy treats properties with a current market value of lower than $100,000 less favorably than properties above that threshold. The policy disproportionately affects more properties in minority neighborhoods than white neighborhoods. The policy has a legitimate business purpose, but other means having less disproportionate impact are available to achieve that purpose. The policy would be a violation because less discriminatory alternative policies are available.<br></p></div></div></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>Example&#58;</em> Suppose an Enterprise underwriting model has a higher cutoff score for certain metro areas. The higher cutoff score is based on an Enterprise's risk assessment of a specific factor for that metro and is unknown to applicants and lenders. The policy has a disproportionate impact on Black and Latino applicants who are rejected by this higher cutoff score at higher rates than white applicants. The Enterprise generally does not take metro-area differences into account in underwriting in other ways. The projected stress losses of not using the higher cutoff score for certain metro areas are minimal. The policy would be a violation because a less-discriminatory alternative exists in the Enterprise's general policy of not taking into account metro-area differences. Prudent fair lending risk management is especially warranted of location-based criteria that have a disparate impact given the Enterprise's obligations under its statutory charter and the Safety and Soundness Act.<a href="#footnote33">[33]</a><br></p> <br> </div></div></blockquote><div><div><h4>F.&#160;&#160;&#160;&#160;&#160; Discriminatory Statements, Steering, and Discouragement</h4><p>Making or publishing advertisements, statements, or notices that indicate a preference, limitation or discrimination on a prohibited basis violate the Fair Housing Act.<a href="#footnote34">[34]</a> Such statements could be made to the public, or to agents or employees if made as part of a decision-making process.<a href="#footnote35">[35]</a> Selecting media or locations for publication or the form of advertisements (such as the repeated absence of non-white models) may also constitute discriminatory advertisements or statements. Whether a statement is a violation does not depend on the intent of the speaker or writer, but on whether a reasonable person would interpret the statement to indicate a preference, limitation, or discrimination.</p><p>Unlawful steering also constitutes a violation of the Fair Housing Act.<a href="#footnote36">[36]</a> Steering involves restricting or attempting to restrict neighborhood choice by word or conduct to perpetuate segregated housing patterns or discourage or obstruct free neighborhood choice. Examples include statements that discourage home purchases on a prohibited basis by exaggerating the drawbacks or failing to note the desirable features of a home or neighborhood and statements that indicate a person would not be comfortable or compatible with existing neighborhood residents. It is also a violation to make oral or written statements to applicants that would discourage on a prohibited basis a reasonable person from making or pursuing an application for credit.<a href="#footnote37">[37]</a> </p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>​Example&#58;</em> Suppose an Enterprise advertises an REO property on its website and notes its location in a “culturally diverse area.&quot; The residents of the neighborhood where the property is located are nearly all Black. This statement would be a violation because it describes the neighborhood in racial terms. It also could constitute a steering violation because it can reasonably be interpreted to indicate who may or may not be comfortable living near the existing residents of the neighborhood.<br></p></div></div></blockquote><div><div><h4>G.&#160;&#160;&#160;&#160;&#160; Reliance on Discriminatory Property Valuation</h4><p>It is a Fair Housing Act violation to use a property valuation in connection with the sale or financing of a dwelling when an Enterprise knows or reasonably should know that the property valuation improperly takes into consideration a prohibited basis.<a href="#footnote38">[38]</a> Further, the Safety and Soundness Act fair housing provision, implemented by HUD regulations, prohibits an Enterprise from discriminating in any manner in the purchase of a mortgage, including discriminatory property valuation.<a href="#footnote39">[39]</a>&#160;</p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>Example&#58;</em> Suppose an Enterprise relies on an appraisal that undervalues a property in a minority neighborhood in establishing the loan-to-value ratio for a loan purchase and the appraisal includes comments from the appraiser that the neighborhood is “predominately Hispanic,&quot; the residents have “assimilated their culture heritage&quot; into the neighborhood, and it was now “one spicy neighborhood.&quot; The reliance would be a violation because the Enterprise should have known the appraisal improperly considered a prohibited basis.</p></div></div></blockquote><div><div><h4>H.&#160;&#160;&#160;&#160;&#160;&#160; Retaliation or Interference</h4><p>It is a Fair Housing Act violation to coerce, intimidate, threaten, or interfere with any person for having aided or encouraged any other person in the exercise of fair housing rights.&#160; This includes such conduct toward Enterprise employees or agents that report fair housing violations to an Enterprise or other authorities including FHFA or HUD or who take steps to try to correct such violations.<a href="#footnote40">[40]</a></p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>​Example&#58;</em> Suppose an Enterprise employee believes an Enterprise operational area is violating fair lending laws and seeks to correct the problem. The employee's manager threatens to reassign him to a different practice group if he does not immediately drop the matter and reverse his assessment. The conduct would be a violation because the employee engaged in protected activity by trying to uphold fair housing rights and the manager's actions interfered with that activity in circumstances indicating it was motivated by the protected activity. &#160;</p></div></div></blockquote><div><div><h4>I.&#160;&#160;&#160;&#160;&#160;&#160; Reasonable Accommodations<br></h4><p>It is a Fair Housing Act violation for an Enterprise to fail to refuse to make reasonable accommodations in rules, policies, practices, or services, when such accommodations may be necessary to afford a person with disabilities equal opportunity to use and enjoy a dwelling unit.<br></p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>​Example</em>&#58; Suppose an Enterprise policy offers single-family mortgage underwriting flexibility for legal guardians of adults with developmental disabilities but not legal guardians of adults with traumatic brain injuries. The Fair Housing Act protects persons with disabilities and persons associated with them broadly, and the policy would be a violation because it treats persons associated with persons with traumatic brain injuries less favorably without any apparent justification. The policy would effectively provide a reasonable accommodation to some borrowers protected by the Fair Housing Act but not to others also protected by the Act who are similarly situated.<br></p> <br> </div></div></blockquote><div><div><h4>J.&#160;&#160;&#160;&#160;&#160; Recognized Exceptions<br></h4><p>There are activities that may appear to be violations of fair lending law but are recognized exceptions to the law. If conducted by an Enterprise according to appropriate legal standards, supervisory action would generally not be warranted in these circumstances.<br></p><h5></h5><h5>1.&#160;&#160;&#160;&#160;&#160;&#160; Special Purpose Credit Programs<br></h5><p>The ECOA and Regulation B allow for-profit creditors, including an Enterprise, to establish special-purpose credit programs benefiting applicants who meet certain eligibility requirements. Generally, these programs target an economically disadvantaged class of individuals and are authorized by federal or state law. This could include eligibility requirements involving one or more prohibited bases. The requirements for special purpose credit programs are provided for in Regulation B.<a href="#footnote41">[41]</a> Prudent risk management by an Enterprise offering such a program would also counsel good-faith conformity with the advisory opinion of the Consumer Financial Protection Bureau (CFPB) in implementation of any special purpose credit program, which would provide liability protection under section 706(e) of ECOA.<a href="#footnote42">[42]</a> HUD confirmed in legal guidance that special purpose credit programs complying with ECOA and Regulation B do not violate the Fair Housing Act,<a href="#footnote43">[43]</a> and the Department of Justice has recognized special purpose credit programs in a remedial settlement agreement that includes the Fair Housing Act.<a href="#footnote44">[44]</a><br></p><h5></h5><h5>2.&#160;&#160;&#160;&#160;&#160;&#160; Age-Restricted Properties<br></h5><p>The Fair Housing Act provides for occupant age-restricted housing under certain circumstances when the housing meets conditions under HUD's regulations.<a href="#footnote45">[45]</a> Enterprise programs that allow for purchase of occupant age-restricted properties meeting Fair Housing Act standards are permissible.</p><h5>3.&#160;&#160;&#160;&#160;&#160;&#160; Affirmative Marketing</h5><p>&#160;Affirmative advertising that attempts to reach members of traditionally disadvantaged groups or to reach persons who are least likely to apply for a program is a compliant strategy for advertising and outreach under the Fair Housing Act and the Equal Credit Opportunity Act.<a href="#footnote46">[46]</a> </p><h3>II.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Effective Enterprise Fair Lending Program</h3><p>The following section provides general guidance on FHFA's supervisory expectations for effective Enterprise fair lending programs. Note&#58; this guidance does not affect or supersede other FHFA supervisory guidance on risk management, including compliance risk management and model risk management.<br></p><p>FHFA expects each Enterprise to maintain a fair lending program that effectively identifies, assesses, monitors, and mitigates fair lending risk and prevents the occurrence of fair lending violations in Enterprise operations. Fair lending risk includes violations of fair lending law or conditions that permit the occurrence of fair lending violations, but also issues that subject an Enterprise to reputational harm related to issues such as fair lending and serving the Enterprise's public purposes. In this way, fair lending risk poses both management and operational risks.<br></p><p>The responsibility for an effective fair lending program goes beyond specific personnel responsible for fair lending. An effective fair lending program requires appropriate board and management oversight and support for the fair lending program, and the cooperation from business and operational areas at an Enterprise. Clear expectations that operational areas must take steps necessary to implement controls to mitigate fair lending risk and prevent the occurrence of fair lending violations should be underscored by board and management support. The fair lending program should have board and management support in conducting its work free from interference or retaliation. Cooperation with FHFA and HUD in their fair housing oversight of the Enterprise is also an important element of an effective fair lending program and a supervisory expectation of FHFA.<br></p><h4>A.&#160;&#160;&#160;&#160;&#160; Identifying Fair Lending Risk</h4><p>Identifying fair lending risk involves personnel knowledgeable in fair lending, Enterprise activities and business operations, and recurring risk assessment to identify operational areas where fair lending risk may be present.<br></p><h4>B.&#160;&#160;&#160;&#160;&#160;&#160; Assessing Fair Lending Risk</h4><p>Assessing fair lending<em> </em>risk involves the assessment of operational areas using both qualitative and quantitative methods to accurately assess the amount and nature of the fair lending risk present in an operational area.</p><h4>C.&#160;&#160;&#160;&#160;&#160; Monitoring Fair Lending Risk</h4><p>Monitoring fair lending risk<em> </em>involves having processes in place to monitor the identification and assessment of fair lending risk in an operational area to ensure that the identification and assessment remain up to date and accurate. It can involve both qualitative assessment of changes in the operational area, as well as regular statistical analysis to monitor fair lending risk.</p><h4>D.&#160; &#160; &#160; Mitigating Fair Lending Risk</h4><p>Mitigating fair lending risk involves creating and supporting a control environment around operational areas where fair lending risk is identified and assessed to effectively mitigate the risk. Appropriate fair lending training both at a general level and a specific level to an operational area's specific fair lending risks are an important component of mitigating fair lending risk. Because an Enterprise's responsibility for fair lending extends to agents and, in some cases, other third parties, third party risk management is also an important component of mitigating fair lending risk. Development and assessment of less discriminatory alternatives in key business areas is an important component of mitigating fair lending risk, as well as preventing the occurrence of fair lending violations.<br></p><h4>E.&#160;&#160;&#160;&#160;&#160;&#160; Preventing the Occurrence of Fair Lending Violations</h4><p>Preventing the occurrence of fair lending violations is a core component of an effective fair lending program, and failure to prevent the occurrence of fair lending violations is an indication that fair lending risk has not been appropriately identified, assessed, and mitigated. Such failure can also indicate an operational area has not adequately implemented controls or taken the steps identified by the fair lending program necessary to mitigate fair lending risk—a broader compliance issue for that operational area and an issue implicating board and management support for fair lending and oversight of the operations of the Enterprise.<a href="#footnote47">[47]</a></p><h4>F.&#160;&#160;&#160;&#160;&#160; Cooperation</h4><p>Cooperation is an important element of an effective fair lending program and a supervisory expectation of FHFA for all Enterprise operational areas. Cooperation is expected of both business and operational areas with respect to the Enterprise's internal fair lending program, as well as with FHFA and HUD in conducting fair lending supervision. Cooperation includes the sharing of complete information requested by FHFA or HUD in fair lending supervision. FHFA's policy statement on fair lending encourages self-reporting of potential fair lending violations, and FHFA views self-reporting favorably in exercising its supervisory and enforcement discretion.<a href="#footnote48">[48]</a></p><h3>III.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Fair Lending Risk Factors</h3><p>Certain risk factors are commonly associated with higher fair lending risk and the existence of conditions under which fair lending violations may occur. FHFA's supervisory expectation is that an effective Enterprise fair lending program will take account of these risks and establish appropriate compliance controls when they are present. Failure to appropriately mitigate fair lending risk that occurs because of fair lending risk factors can result in supervisory findings depending on the facts and circumstances.</p><p>Risk factors commonly associated with higher fair lending risk include&#58;<br></p><ul><li>Substantial discretion to make decisions on transactions or properties</li><li>Lack of clear policies, procedures, business rules, or decision criteria</li><li>Use of factors in decision-making that are subjective rather than objective</li><li>Use of geographic factors or different treatment of geographies</li><li>Policies impacting outcomes that lack clear business justification</li><li>Policies impacting outcomes that have not undergone review for effectiveness or need for a significant period of time</li><li>Compensation criteria or other incentives that could lead to disparities in outcomes</li><li>Reliance on third parties without appropriate oversight</li><li>Unreliable or incomplete data</li><li>Consumer complaints</li><li>Employee statements indicating aversion to doing business in certain areas with relatively high concentration of residents sharing a protected class characteristic</li></ul><h3>IV.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Associated Fair Lending Requirements</h3><p>Requirements associated with fair lending not discussed above include requirements related to ECOA notices, data collection and reporting, the Annual Housing Activities Report, credit score approval, new activities and new products, fulfillment of HUD requirements, and FHFA conservatorship requirements. It is an FHFA supervisory expectation that an Enterprise comply with these requirements.<br></p><h4>A.&#160;&#160;&#160;&#160;&#160; ECOA Notice Requirements</h4><p>The Equal Credit Opportunity Act requires notice to applicants when a creditor participating in the credit decision takes certain actions.<a href="#footnote49">[49]</a> This includes certain servicing decisions.<a href="#footnote50">[50]</a> FHFA's supervisory expectation is that an Enterprise will comply with applicable ECOA requirements in the appropriate business lines and operational areas.</p><h4>B.&#160;&#160;&#160;&#160;&#160;&#160; Data Collection and Reporting Requirements</h4><p>Each Enterprise is required by law to collect and report underlying race, ethnicity, and other demographic data used for fair lending monitoring and analysis for various purposes.<a href="#footnote51">[51]</a>&#160; The Enterprises are required to report certain fair lending information to FHFA on a quarterly basis and additional information upon request pursuant to FHFA's Enterprise Compliance and Information Submission with Respect to Fair Lending Order.<a href="#footnote52">[52]</a></p><h4>C.&#160;&#160;&#160;&#160;&#160; Annual Housing Activities Report</h4><p>Each Enterprise, in its Annual Housing Activities Report, is required to assess underwriting standards, business practices, repurchase requirements, pricing, fees, and procedures that affect the purchase of mortgages for low- and moderate-income families, or that may yield disparate results based on the race, color, religion, sex, handicap, familial status, age, or national origin of the borrower, including revisions thereto to promote affordable housing or fair lending.<a href="#footnote53">[53]</a> FHFA expects that an Enterprise will engage in a meaningful analysis of its standards, practices, and requirements that may yield disparate results on prohibited bases and provide transparency to the public into its analysis and the revisions it undertook to promote fair lending.</p><h4>D.&#160;&#160;&#160;&#160;&#160;&#160; Validation and Approval of Credit Score Models</h4><p>The FHFA regulation for validation and approval of credit score models contains requirements related to fair lending. Each application under the process must meet the standards set forth in the regulation related to fair lending compliance and certification for applications, as well as any additional requirements related to fair lending in the credit score solicitation.<a href="#footnote54">[54]</a> Each Enterprise must conduct a fair lending assessment as part of assessment process under the rule.<a href="#footnote55">[55]</a></p><h4>E.&#160;&#160;&#160;&#160;&#160;&#160; Requirements related to HUD and Federal ECOA-enforcing Agencies</h4><p>Each Enterprise is required to undertake certain actions related to fair lending enforcement in the primary mortgage market at the direction of HUD, including providing certain information to HUD regarding lenders and servicers either to assist HUD or Federal agencies enforcing ECOA, and to undertake remedial actions against certain lenders at the direction of HUD.<a href="#footnote56">[56]</a> FHFA expects that an Enterprise will fully cooperate with HUD in any such direction.<br></p><h4>F.&#160;&#160;&#160;&#160;&#160; FHFA Conservatorship Requirements</h4><p>While the Enterprises are in conservatorship, FHFA's conservatorship function for each Enterprise also includes fair lending oversight. FHFA conservatorship directives may include requirements associated with fair lending compliance or intended to further fair lending principles. FHFA expects each Enterprise to comply with these conditions and have available information demonstrating compliance for supervisory review.<br></p><h3>V.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Steps to Promote Fair Housing and Fair Lending</h3><p>The Enterprises play a unique and important role in the mortgage market, and their operations and policies can promote fair housing and fair lending compliance and further the purposes of fair lending laws and the public interest in the primary mortgage market. Historically, the Enterprises have often played a leading role in adopting standards to promote fair lending. FHFA encourages each Enterprise to promote among their business counterparties fair lending compliance and the purposes of fair lending laws while furthering their public purposes in the mortgage market. While such Enterprise actions are not a substitute for ensuring fair lending compliance in an Enterprise's own operations, an effective fair lending program, or compliance with associated fair lending requirements, they demonstrate a commitment to promoting fair lending that FHFA encourages and recognizes. An Enterprise that takes such actions to promote fair lending is encouraged to document them and to provide them to FHFA during FHFA's fair lending oversight, even when not required to by other FHFA requirements.<br></p><p>Additionally, FHFA has established the Equitable Housing Finance Plan framework as conservator, under which an Enterprise is required to engage in ongoing barrier identification, planning, and goal-setting, and to undertake meaningful actions to address those barriers.<a href="#footnote57">[57]</a> Each Enterprise is also required to report progress on such plans annually. FHFA's supervisory expectation is that an Enterprise's efforts under the Equitable Housing Finance Plan will demonstrate full compliance with the framework.</p><h2> ​ <span style="text-decoration&#58;underline;"><strong></strong></span></h2><h2> <span style="text-decoration&#58;underline;"> <strong>Related Guidance and Regulations</strong></span></h2><h3>I.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Federal Fair Lending Laws and Regulations</h3><p>Fair Housing Act – 42 U.S.C. 3601 <em>et seq.</em></p><p>Discriminatory Conduct Under the Fair Housing Act – 24 CFR part 100<br></p><p>Equal Credit Opportunity Act – 15 U.S.C. 1691 <em>et seq.</em></p><p>Equal Credit Opportunity Act (Regulation B) – 12 CFR part 1002<br></p><p>Safety and Soundness Act fair housing provision – 12 U.S.C. 4545<br></p><p>HUD's Regulation of Fannie Mae and Freddie Mac – 24 CFR part 81, subpart C</p><p>&#160;<br></p><h3>II.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; FHFA Fair Lending Guidance and Requirements</h3><p> <a href="/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx">FHFA Fair Lending Policy Statement</a><br></p><p> <a href="/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx">FHFA Fair Lending Reporting Orders</a><br></p><p> <a href="/Media/PublicAffairs/PublicAffairsDocuments/FHFA-HUD-MOU_8122021.pdf">FHFA-HUD Memorandum of Understanding Regarding Fair Housing and Fair Lending Coordination </a><br></p><p>&#160;</p><h3>III.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Federal Fair Lending Guidance</h3><p>These resources are issued by Federal agencies related to fair lending matters. They may provide helpful guidance on the application of fair lending laws or exam and investigation procedures and methods in a variety of contexts. While FHFA considers the resources relevant and helpful guidance, the list of resources is not intended to be comprehensive. FHFA carefully considers the full context of the facts and law in any particular matter involving the Enterprises' fair lending compliance.<br></p><h4>A.&#160;&#160;&#160;&#160;&#160; General Federal Fair Lending Guidance</h4><p>General guidance from Federal agencies regarding fair lending can provide helpful guidance in particular matters.<br></p><p> <a href="https&#58;//www.govinfo.gov/content/pkg/FR-1994-04-15/html/94-9214.htm">1994 Policy Statement on Discrimination in Lending</a><br></p><p> <a href="https&#58;//www.federalreserve.gov/boarddocs/caletters/2009/0906/09-06_attachment.pdf">Interagency Fair Lending Exam Procedures</a></p><p> <a href="https&#58;//www.hud.gov/program_offices/administration/hudclips/handbooks/fheo/80241">HUD Fair Housing Act Complaint intake, Investigation, and Conciliation Handbook</a></p><p> <a href="https&#58;//files.consumerfinance.gov/f/201307_cfpb_ecoa_baseline-review-module-fair-lending.pdf">CFPB ECOA Baseline Review Modules</a></p><h4>B.&#160;&#160;&#160;&#160;&#160;&#160; Federal Enforcement Actions and Administrative Decisions</h4><p>Complaints, administrative opinions, consent orders, and similar actions by Federal agencies that enforce fair lending laws can provide helpful guidance on particular matters.<br></p><p> <a href="https&#58;//www.justice.gov/crt/housing-and-civil-enforcement-section-cases-1">DOJ Housing and Civil Enforcement Section Cases</a><br></p><p> <a href="https&#58;//www.hud.gov/program_offices/hearings_appeals/cases/fha">HUD Administrative Law Judge Fair Housing Act Decisions</a></p><p> <a href="https&#58;//orders.fdic.gov/s/">FDIC Enforcement Actions</a></p><p> <a href="https&#58;//www.federalreserve.gov/supervisionreg/enforcementactions.htm">Federal Reserve Enforcement Actions</a></p><p> <a href="https&#58;//apps.occ.gov/EASearch/">Office of the Comptroller of the Currency Enforcement Actions</a><br></p><h4>C.&#160;&#160;&#160;&#160;&#160; Specific Federal Fair Lending Guidance</h4><p>Guidance from Federal agencies regarding specific topics as they relate to fair lending can provide helpful guidance in particular matters.<br></p><h5>1.&#160;&#160;&#160;&#160;&#160;&#160; Accessibility (Design and Construction), Group Homes, Reasonable Accommodation, Service Animals</h5><p> <a href="https&#58;//www.justice.gov/sites/default/files/crt/legacy/2013/05/03/jointstatement_accessibility_4-30-13.pdf">Accessibility (Design and Construction) Requirements for Covered Multifamily Dwellings under the Fair Housing Act</a><br></p><p> <a href="https&#58;//www.hud.gov/sites/dfiles/PA/documents/HUDAsstAnimalNC1-28-2020.pdf">Assessing a Person's Request to Have an Animal as a Reasonable Accommodation Under the Fair Housing Act (HUD FHEO-2020-01)</a></p><p> <a href="https&#58;//www.justice.gov/sites/default/files/crt/legacy/2013/05/03/jointstatement_accessibility_4-30-13.pdf">Reasonable Accommodations under the Fair Housing Act</a></p><p> <a href="https&#58;//www.justice.gov/crt/page/file/909956/download">State and Local Land Use Laws and Practices and the Application of the Fair Housing Act</a></p><h5>2.&#160;&#160;&#160;&#160;&#160;&#160; Advertising, Discriminatory Statements</h5><p> <a href="http&#58;//www.montanafairhousing.org/forms/24CFR_109.pdf">Fair Housing Act Advertising Guidelines (former 24 CFR part 109)</a><br></p><p> <a href="https&#58;//www.hud.gov/sites/documents/DOC_7784.PDF">Memorandum on Guidance Regarding Advertisements Under 804(c) of the Fair Housing Act</a></p><h5>3.&#160;&#160;&#160;&#160;&#160;&#160; Criminal Background Checks</h5><p> <a href="https&#58;//www.hud.gov/sites/documents/HUD_OGCGUIDAPPFHASTANDCR.PDF">Application of Fair Housing Act Standards to the Use of Criminal Records by Providers of Housing and Real Estate-Related Transactions</a><br></p><h5>4.&#160;&#160;&#160;&#160;&#160;&#160; Gender Identity, Sexual Orientation</h5><p> <a href="https&#58;//www.hud.gov/sites/dfiles/PA/documents/HUD_Memo_EO13988.pdf">Implementation of Executive Order 13988 on Enforcement of the Fair Housing Act</a><br></p><h5>5.&#160;&#160;&#160;&#160;&#160;&#160; Limited English Proficiency</h5><p> <a href="https&#58;//www.hud.gov/sites/documents/LEPMEMO091516.PDF">Fair Housing Act Protections for Persons with Limited English Proficiency</a><br></p><h5>6.&#160;&#160;&#160;&#160;&#160;&#160; Low-Income Housing Tax Credit Properties</h5><p> <a href="https&#58;//www.justice.gov/crt/memorandum-understanding-among-department-treasury-department-housing-and-urban-development-an-0">Inter-governmental Agreement on Low-Income Housing Tax Credit Properties</a><br></p><h5>7.&#160;&#160;&#160;&#160;&#160;&#160; Models</h5><p> <a href="https&#58;//ithandbook.ffiec.gov/media/resources/3672/occ-bl-97-24_credit_scor_models.pdf">OCC Bulletin 97-24 (Disparate Treatment and Disparate Impact sections)</a><br></p><h5>8.&#160;&#160;&#160;&#160;&#160;&#160; Occupancy Standards</h5><p> <a href="https&#58;//www.hud.gov/sites/documents/DOC_35681.PDF">Fair Housing Enforcement – Occupancy Standards Notice of Statement of Policy</a><br></p><h5>9.&#160;&#160;&#160;&#160;&#160;&#160; Public Assistance Income</h5><p> <a href="https&#58;//files.consumerfinance.gov/f/201505_cfpb_bulletin-section-8-housing-choice-voucher-homeownership-program.pdf">Section 8 Housing Choice Voucher Homeownership Program (CFPB Bulletin 2015-02)</a><br></p><p> <a href="https&#58;//files.consumerfinance.gov/f/201411_cfpb_bulletin_disability-income.pdf">Social Security Disability Income Verification (CFPB Bulletin 2014-03)</a></p><h5>10.&#160;&#160;&#160;&#160;&#160;&#160; Real Estate Owned Property</h5><p> <a href="https&#58;//www.federalreserve.gov/supervisionreg/srletters/sr1210a1.pdf">Questions and Answers for Federal Reserve-Regulated Institutions Related to the Management of Other Real Estate Owned (OREO) Assets (Fair Housing Act portions)</a><br></p><h5>11.&#160;&#160;&#160;&#160;&#160;&#160; Special Purpose Credit Programs</h5><p> <a href="https&#58;//www.consumerfinance.gov/rules-policy/final-rules/advisory-opinion-on-special-purpose-credit-programs/">Advisory Opinion on Special Purpose Credit Programs</a><br></p><p> <a href="https&#58;//www.hud.gov/sites/dfiles/GC/documents/Special_Purpose_Credit_Program_OGC_guidance_12-6-2021.pdf">Office of General Counsel Guidance on the Fair Housing Act's Treatment of Certain Special Purpose Credit Programs That Are Designed and Implemented in Compliance with the Equal Credit Opportunity Act and Regulation B</a></p><h5>12.&#160;&#160;&#160;&#160;&#160;&#160; Tribal Housing</h5><p> <a href="https&#58;//www.hud.gov/sites/documents/DOC_8818.PDF">Limiting Housing to Indian Families or Tribal Members (HUD Notice PIH 2009-4)</a><br></p><p> <br> </p><h3>IV.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Other Relevant FHFA Guidance</h3><p> <a href="https&#58;//www.ecfr.gov/cgi-bin/text-idx?node=pt12.10.1236&amp;rgn=div5#ap12.10.1236_15.1">Appendix to Part 1236, Prudential Management Operating Standards</a><br></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Enterprise-Risk-Management-Program.aspx">AB 2020-06 Enterprise Risk Management Program</a></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Compliance-Risk-Management.aspx">AB 2019-05 Compliance Risk Management</a></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Third-Party-Provider-Relationships.aspx">AB 2018-08 Oversight of Third-Party Provider Relationships</a></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Classifications-of-Adverse-Examination-Findings.aspx">AB 2017-01 Classification of Adverse Examination Findings</a></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-07-Model-Risk-Management-Guidance.aspx">AB 2013-07 Model Risk Management Guidance</a></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-03-FHFA-ENFORCEMENT-POLICY.aspx">AB 2013-03 FHFA Enforcement Policy</a><br></p><div style="font-style&#58;normal;font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">__________________<br></div></div><p></p></div><p> <span class="MsoFootnoteReference"> <span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"> <span class="MsoFootnoteReference"> <span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"> <a name="footnote1">[1]</a><span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"> 12 U.S.C. 4511(b)(2), 42 U.S.C. 3608(d).​</span><br></span></span></span></span></p><p> <a name="footnote2">[2]&#160;</a><a href="/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx">https&#58;//www.fhfa.gov/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx</a> </p><p> <a name="footnote3">[3]&#160;</a><a href="/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx">https&#58;//www.fhfa.gov/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx</a><br></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <a name="footnote4">[4]</a><span style="font-style&#58;normal;">&#160;</span><a href="/Media/PublicAffairs/PublicAffairsDocuments/FHFA-HUD-MOU_8122021.pdf" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-style&#58;normal;">https&#58;//www.fhfa.gov/Media/PublicAffairs/PublicAffairsDocuments/FHFA-HUD-MOU_8122021.pdf</a></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <span style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"><a name="footnote5">[5]</a>&#160;<span style="font-style&#58;normal;">Executive Order 12892 section 2-204,</span><span style="font-style&#58;normal;">&#160;</span><em style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-weight&#58;400;">available at</em><span style="font-style&#58;normal;">&#58;</span><span style="font-style&#58;normal;">&#160;</span><a href="https&#58;//www.govinfo.gov/content/pkg/WCPD-1994-01-24/pdf/WCPD-1994-01-24-Pg110.pdf" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-style&#58;normal;">https&#58;//www.govinfo.gov/content/pkg/WCPD-1994-01-24/pdf/WCPD-1994-01-24-Pg110.pdf</a><span style="font-style&#58;normal;">.</span></span></span></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"> <span style="font-style&#58;normal;"> <span class="MsoFootnoteReference"> <span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"> <span class="MsoFootnoteReference"> <span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"></span></span></span></span> <span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"> <em> </em><a name="footnote6">[6]</a>&#160;<span style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;"><em>See, e.g.,</em></span>&#160;12 U.S.C. 4545, 15 U.S.C. 1691(a), 42 U.S.C. 3601&#160;<span style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;"><em>et seq.</em></span></span><br></span></em></span></p><p style="font-style&#58;normal;"> <a name="footnote7">[7]</a>&#160;The Department of Housing and Urban Development has determined that the Fair Housing Act's prohibition on sex discrimination includes discrimination on the basis of sexual orientation or gender identity.&#160;<em>See</em>&#160;Implementation of Executive Order 13988 on the Enforcement of the Fair Housing Act,&#160;<em>available at</em>&#58;&#160;<a href="https&#58;//www.hud.gov/sites/dfiles/PA/documents/HUD_Memo_EO13988.pdf">https&#58;//www.hud.gov/sites/dfiles/PA/documents/HUD_Memo_EO13988.pdf</a>. FHFA supervises and enforces the Fair Housing Act consistent with HUD's interpretation.</p><p style="font-style&#58;normal;"> <a name="footnote8">[8]</a>&#160;Interference claims are also cognizable under the Fair Housing Act and its implementing regulation.&#160;<em>See supra&#160;</em>Section H,<em>&#160;</em>Retaliation or Interference;&#160;<em>e.g.</em>,<em>&#160;</em>42 U.S.C. 3617 (“It shall be unlawful to coerce, intimidate, threaten, or interfere with any person in the exercise or enjoyment of, or on account of his having exercised or enjoyed, or on account of his having aided or encouraged any other person in the exercise or enjoyment of, any right granted or protected by section 3603, 3604, 3605, or 3606 of this title.&quot;); 24 CFR 100.400.</p><p style="font-style&#58;normal;"> <a name="footnote9">[9]</a>&#160;The Fair Housing Act uses the term “handicap&quot; instead of the term &quot;disability.&quot; Both terms have the same legal meaning.&#160;<em>See Bragdon v. Abbott</em>, 524 U.S. 624, 631 (1998) (noting that definition of&#160;<span style="font-style&#58;normal;">“disability&quot; in the Americans with Disabilities Act is drawn almost verbatim “from the definition&#160;</span><span style="font-style&#58;normal;">of 'handicap' contained in the Fair Housing Amendments Act of 1988&quot;). This document uses the&#160;</span><span style="font-style&#58;normal;">term &quot;disability,&quot; which is more generally accepted.</span></p><p style="font-style&#58;normal;"> <a name="footnote10">[10]</a>&#160;<em>See, e.g.,</em>&#160;12 CFR 1002, Official Interpretations, comment 2(z)-1; 24 CFR part 100.70(a).</p><p style="font-style&#58;normal;"> <a name="footnote11">[11]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.125.<br></p><p style="font-style&#58;normal;"> <a name="footnote12">[12]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.120.</p><p style="font-style&#58;normal;"> <a name="footnote13">[13]</a>&#160;<em>See, e.g.,</em>&#160;12 CFR 1002, Official Interpretations, comment 2(l)-1.</p><p style="font-style&#58;normal;"> <a name="footnote14">[14]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.60.</p><p style="font-style&#58;normal;"> <a name="footnote15"> [15]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.75, 100.75(c)(2).</p><p style="font-style&#58;normal;"> <a name="footnote16">[16]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.135(d)(1).</p><p style="font-style&#58;normal;"> <a name="footnote17">[17]</a>&#160;See, e.g., 24 CFR 100.130(b)(3);&#160;<em>see also&#160;</em>Federal Reserve CA 09-13 (Dec. 4, 2009) (ECOA guidance for loss mitigation under HAMP program).</p><p style="font-style&#58;normal;"> <a name="footnote18">[18]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.125(b)(2), (3).</p><p style="font-style&#58;normal;"> <a name="footnote19">[19]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.20 (definition of “dwelling&quot;)</p><p style="font-style&#58;normal;"> <a name="footnote20">[20]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.70(b).</p><p style="font-style&#58;normal;"> <a name="footnote21">[21]</a>&#160;<em>See, e.g.</em>, 24 CFR 100.135.<br></p><p style="font-style&#58;normal;"> <a name="footnote22">[22]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.7.</p><p style="font-style&#58;normal;"> <a name="footnote23">[23]</a>&#160;<em>See, e.g.,&#160;</em>24 CFR 100.7(a)(1) and (b).</p><p style="font-style&#58;normal;"> <a name="footnote24">[24]</a>&#160;<em>See, e.g.</em>, 24 CFR 100.7(a)(1)(iii).​<br></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"> <span style="font-style&#58;normal;"> <a name="footnote25">[25]</a><span style="font-style&#58;normal;">&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">See, e.g.,</em><span style="font-style&#58;normal;">&#160;1994 Policy Statement on Discrimination in Lending,&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">available at</em><span style="font-style&#58;normal;">&#58;&#160;</span><a href="https&#58;//www.govinfo.gov/content/pkg/FR-1994-04-15/html/94-9214.htm" style="font-style&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">https&#58;//www.govinfo.gov/content/pkg/FR-1994-04-15/html/94-9214.htm</a><span style="font-style&#58;normal;">; Federal Financial Institutions Examination Council Interagency Fair Lending Exam Procedures,&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">available at</em><span style="font-style&#58;normal;">&#58;&#160;</span><a href="https&#58;//www.ffiec.gov/PDF/fairlend.pdf" style="font-style&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">https&#58;//www.ffiec.gov/PDF/fairlend.pdf</a><span style="font-style&#58;normal;">.</span><span style="font-style&#58;normal;">&#160;&#160;</span><br></span></em></span></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"> <span style="font-style&#58;normal;"> <a name="footnote26">[26]</a><span style="font-style&#58;normal;">&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">See, e.g.</em><span style="font-style&#58;normal;">, 42 U.S.C. 3604(b), 24 CFR 100.65(b)(2),&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">Nat'l Fair Hous. Alliance v. Bank of Am., N.A.</em><span style="font-style&#58;normal;">, 401 F. Supp. 3d 619, 639 (D.Md. July 18, 2019), Questions and Answers For Federal Reserve-Regulated Institutions Related to the Management of Other Real Estate Owned (OREO) Assets, June 27, 2012,&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">available at</em><span style="font-style&#58;normal;">&#58;&#160;</span><a href="https&#58;//www.federalreserve.gov/supervisionreg/srletters/sr1210a1.pdf" style="font-style&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">https&#58;//www.federalreserve.gov/supervisionreg/srletters/sr1210a1.pdf</a><span style="font-style&#58;normal;">&#160;&#160;&#160;</span><span style="font-style&#58;normal;">(“[I]nstitutions may not avoid or delay the maintenance or repairs of dwellings based on the racial or ethnic composition of the geographic area where they are located.&quot;)</span>​<br></span></em></span></p><div><p style="font-style&#58;normal;"> <a name="footnote27">[27]</a>&#160;<em>See, e.g.,</em>&#160;1994 Policy Statement, Interagency Fair Lending Exam Procedures.</p><p style="font-style&#58;normal;"> <a name="footnote28">[28]</a>&#160;<em>See, e.g.,</em>&#160;1994 Policy Statement on Discrimination in Lending, FFIEC Interagency Fair Lending Exam Procedures.<br></p></div><p style="font-style&#58;normal;"> <a name="footnote29">[29]</a>&#160;<em>Ash v. Tyson Foods, Inc.</em>, 546 U.S. 454, 456 (2006).&#160;<em>See</em>&#160;<em>Avenue 6E Investments, LLC v. City of Yuma</em>, 818 F.3d 493, 506 (9th Cir. 2016) (applying&#160;<em>Ash v. Tyson</em>&#160;standard in a Fair Housing Act case). In general, when analyzing the custom factor, FHFA looks at real estate and mortgage industry standards and practices rather than “local&quot; custom as suggested by the Supreme Court in the employment context.</p><p style="font-style&#58;normal;"> <a name="footnote30">[30]</a>&#160;<em>See, e.g.</em>,<em>&#160;Toledo Fair Hous. Ctr. v. Nationwide Mut. Ins. Co.</em>, 704 N.E.2d 667, 674 (Ct. Com.Pl. Ohio 1997) (noting “pride of ownership&quot; as subjective, discriminatory criteria in insurance underwriting);&#160;Consent Decree in&#160;<em>United States v. Nationwide Mut. Ins. Co.</em>, C2-97-291 (S.D. Ohio Mar. 10, 1997),&#160;<em>available&#160;at&#160;<span style="font-size&#58;11pt;font-family&#58;calibri, sans-serif;"><a href="https&#58;//www.justice.gov/crt/housing-and-civil-enforcement-cases-documents-367">https&#58;//www.justice.gov/crt/housing-and-civil-enforcement-cases-documents-367</a>&#160;</span></em>(banning “pride of ownership&quot; in insurer's underwriting as discriminatory);&#160;<em>Avenue 6E Investments, LLC v. City of Yuma</em>, 818 F.3d at 499&#160;&#160;(noting “pride of ownership&quot; as discriminatory comment in public opposition to affordable housing development);&#160;Uniform Standards of Professional Appraisal Practice, Advisory Opinion 16 (advising appraisers not to use the term “high-crime area&quot; in fair housing advisory opinion from Appraisal Advisory Board)<em>. See Greater New Orleans Fair Hous. Action Ctr. v. St. Bernard Parish</em>, 641 F.Supp.2d 563, 571–72 (E.D.La.2009) (finding references to crime “racially-loaded&quot;);&#160;<em>Atkins v. Robinson</em>, 545 F. Supp. 852, 874 (E.D.Va.1982) (reference to “an abundance of crime&quot; “may be interpreted as [a] veiled reference[ ] to race&quot;);&#160;<em>Pierce v. Metropolitan Liability &amp; Property Ins. Co</em>., 1983 U.S. Dist. LEXIS 11368, *18 (S.D. Ohio 1983) (“This report stated, in part, that the Plaintiffs' house was located in an area where there were a number of vacant or run-down houses, that the area of Plaintiffs' residence was located in a center city with a high frequency of reports of crime and vice. Based upon these facts, one could infer that Plaintiffs' house was located in a predominantly minority area.&quot;);&#160;<em>Barrick Realty, Inc. v. City of Gary</em>, 354 F. Supp. 126 (N.D. Ind. 1973) (“Among the fears of white residents as non-whites begin to move into their neighborhood are rising crime rates, overcrowded schools, declining property values, and a generally lower quality of life.&quot;).<br></p><p style="font-style&#58;normal;"> <a name="footnote31">[31]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.500, 12 CFR 1002.6(a), 1994 Policy Statement on Discrimination in Lending, FFIEC Interagency Fair Lending Exam Procedures.</p><p style="font-style&#58;normal;"> <a name="footnote32">[32]</a>&#160;<em>See, e.g.,</em>&#160;OCC Bulletin 97-24,&#160;<em>available at</em>&#58;&#160;<a href="https&#58;//ithandbook.ffiec.gov/media/resources/3672/occ-bl-97-24_credit_scor_models.pdf">https&#58;//ithandbook.ffiec.gov/media/resources/3672/occ-bl-97-24_credit_scor_models.pdf</a>&#160;(“National banks should avoid including in their credit scoring systems variables that have little influence on the total credit score, yet disadvantage applicants on a prohibited basis to a statistically significant degree.&quot;).&#160;<br></p><p style="font-style&#58;normal;"> <a name="footnote33">[33]</a>&#160;12 U.S.C. 4545(1), 24 CFR 81.42; 12 U.S.C. 1716(4) (Fannie Mae charter); 1451(b)(4) (Freddie Mac charter).</p><p style="font-style&#58;normal;"> <a name="footnote34">[34]</a>&#160;24 CFR 100.75. Affirmative marketing meeting certain requirements may be considered an exception to this prohibition.&#160;<em>See</em>&#160;<em>supra&#160;</em>I.J, Recognized Exceptions..</p><p style="font-style&#58;normal;"> <a name="footnote35">[35]</a>&#160;24 CFR 100.75(c)(2).</p><p style="font-style&#58;normal;"> <a name="footnote36">[36]</a>&#160;24 CFR 100.70.</p><p style="font-style&#58;normal;"> <a name="footnote37">[37]</a>&#160;12 CFR 1002.4(b).<br></p><p style="font-style&#58;normal;"> <a name="footnote38">[38]</a>&#160;24 CFR 100.135(d)(1). The Fair Housing Act does include a limited exemption for appraisers, who may “take into consideration factors other than race, color, religion, national origin, sex, [disability]. . ., or familial status&quot; regardless of other requirements in the statute. 42 U.S.C. 3605(c).</p><p style="font-style&#58;normal;"> <a name="footnote39">[39]</a>&#160;12 U.S.C. 4545(1), (6).</p><p style="font-style&#58;normal;"> <a name="footnote40">[40]</a>&#160;24 CFR 100.400.<br></p><div><p style="font-style&#58;normal;"> <a name="footnote41">[41]</a>&#160;<em>See</em>&#160;12 CFR 1002.8.</p><p style="font-style&#58;normal;"> <a name="footnote42">[42]</a>&#160;See Advisory Opinion on Special Purpose Credit Programs (Dec. 21, 2020), available at&#58;&#160;<a href="https&#58;//www.consumerfinance.gov/rules-policy/final-rules/advisory-opinion-on-special-purpose-credit-programs/">https&#58;//www.consumerfinance.gov/rules-policy/final-rules/advisory-opinion-on-special-purpose-credit-programs/</a>.</p><p style="font-style&#58;normal;"> <a name="footnote43">[43]</a>&#160;See Office of General Counsel Guidance on the Fair Housing Act's Treatment of Certain Special Purpose Credit Programs That Are Designed and Implemented in Compliance with the Equal Credit Opportunity Act and Regulation B (Dec. 6, 2021), available at&#58;&#160;<a href="https&#58;//www.hud.gov/sites/dfiles/GC/documents/Special_Purpose_Credit_Program_OGC_guidance_12-6-2021.pdf">https&#58;//www.hud.gov/sites/dfiles/GC/documents/Special_Purpose_Credit_Program_OGC_guidance_12-6-2021.pdf</a>.</p><p style="font-style&#58;normal;"> <a name="footnote44">[44]</a>&#160;<em>See, e.g.,&#160;</em>Settlement Agreement between the United States of America and Kleinbank, May 8, 2018,&#160;<em>available at</em>&#58;&#160;<a href="https&#58;//www.justice.gov/opa/press-release/file/1060996/download">https&#58;//www.justice.gov/opa/press-release/file/1060996/download</a>.&#160;<br></p><p style="font-style&#58;normal;"> <a name="footnote45">[45]</a>&#160;24 CFR part 100 subpart E.</p><p style="font-style&#58;normal;"> <a name="footnote46">[46]</a>&#160;12 CFR 1002.4 comment 4(b)-2.<br></p><p style="font-style&#58;normal;"> <a name="footnote47">[47]</a>&#160;<em>See, e.g.,</em>&#160;12 CFR part 1236.</p><p style="font-style&#58;normal;"> <a name="footnote48">[48]</a>&#160;<a href="/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx">https&#58;//www.fhfa.gov/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx</a>.<br></p><p style="font-style&#58;normal;"> <a name="footnote49">[49]</a>&#160;<em>See, e.g.,</em>&#160;12 CFR 1002.9.</p><p style="font-style&#58;normal;"> <a name="footnote50">[50]</a>&#160;<em>See,</em>&#160;<em>e.g.,</em>&#160;Federal Reserve Consumer Affairs Letter 09-13,&#160;<em>available at</em>&#58;&#160;<a href="https&#58;//www.federalreserve.gov/boarddocs/caletters/2009/0913/caltr0913.htm">https&#58;//www.federalreserve.gov/boarddocs/caletters/2009/0913/caltr0913.htm</a>.<br></p><p style="font-style&#58;normal;"> <a name="footnote51">[51]</a>&#160;12 U.S.C. 1456(e), 1723a(m), 4544(b)(3), 4545(2)-(3), 4561(d)(1). Primary mortgage market lenders are required to collect data for government fair lending monitoring as well under 12 CFR 1002.13 and 12 CFR part 1003. The Enterprises' Uniform Residential Loan Application (URLA) is a vehicle frequently used for the collection of this data across the mortgage industry.</p><p style="font-style&#58;normal;"> <a name="footnote52">[52]</a>&#160;<em>See</em>&#160;In Re&#58; Enterprise Compliance and Information Submission with Respect to Fair Lending, Order No. 2021-OR-FNMA-2 and Order No. 2021-OR-FHLMC-2,<em>&#160;available at&#58;&#160;</em><a href="/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx">https&#58;//www.fhfa.gov/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx</a>.</p><p style="font-style&#58;normal;"> <a name="footnote53">[53]</a>&#160;24 CFR 81.43.</p><p style="font-style&#58;normal;"> <a name="footnote54">[54]</a>&#160;12 CFR 1254.6(a), (a)(2).</p><p style="font-style&#58;normal;"> <a name="footnote30">[55]</a>&#160;12 CFR 1254.8(b)(2).<br></p><p style="font-style&#58;normal;"><a name="footnote30">[56]</a> 24 CFR 81.244, 81.46.<br></p><p style="font-style&#58;normal;"> <a name="footnote57">[57]</a><span style="font-style&#58;normal;">&#160;</span><a href="/Media/PublicAffairs/PublicAffairsDocuments/Equitable-Housing-Finance-Plans-RFI.pdf" style="font-style&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">https&#58;//www.fhfa.gov/Media/PublicAffairs/PublicAffairsDocuments/Equitable-Housing-Finance-Plans-RFI.pdf</a><span style="font-style&#58;normal;">.</span></p></div><div>​<br></div><div><div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-style&#58;normal;font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;"><tbody><tr><td class="ms-rteTable-default" style="width&#58;776px;"><p>FHFA has statutory responsibility to ensure&#160; that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes and applicable law.&#160; Advisory Bulletins describe&#160;supervisory expectations in&#160;particular areas and are used in FHFA examinations of the regulated entities. For comments or questions pertaining to this Advisory Bulletin, contact James Wylie at&#160;<a href="mailto&#58;James.Wylie@FHFA.gov">James.Wylie@FHFA.gov​</a>&#160;or by phone at 1-202-649-3209.<br></p></td></tr></tbody></table> <br>​<br><br>​<br></div></div>12/20/2021 9:43:06 PMHome / Supervision & Regulation / Advisory Bulletins / Enterprise Fair Lending and Fair Housing Compliance Advisory Bulletin AB 2021-04:  Enterprise Fair Landing and Fair 17241https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention34027FHLB & Fannie Mae & Freddie Mac8/25/2021 4:00:00 AMAB 2021-03​​​​​​​​​​<br> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2021-03&#58;&#160;&#160;FRAMEWORK FOR ADVERSELY CLASSIFYING LOANS, OTHER REAL ESTATE OWNED, AND OTHER ASSETS AND LISTING ASSETS FOR SPECIAL MENTION</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"> <em> <strong></strong></em></em></p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"><strong><em></em></strong></span></p><p> <em style="text-decoration&#58;underline;"><strong>Purpose</strong></em><br></p><p>​This Advisory Bulletin (Advisory Bulletin, or guidance) establishes guidelines for adverse and non-adverse classification of assets (assets refer to on-balance sheet or off-balance sheet credit exposures) at Fannie Mae and Freddie Mac (Enterprises) and the Federal Home Loan Banks (FHLB​anks) (collectively, the regulated entities).&#160; These guidelines describe sound practices for managing credit risk at the regulated entities.&#160; This guidance does not apply to investment securities.<a href="#footnote1">[1]</a>&#160; ​This Advisory Bulletin rescinds and replaces <em>Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets For Special Mention</em> (AB 2012-02), and rescinds <em>Clarification of Implementation for Advisory Bulletin 20</em><em>12-02, Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention</em>&#160;(AB 2013-02).<br></p><p>FHFA examiners will evaluate how the regulated entities apply this guidance to their classification practices.</p><p style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></p><p>The purpose of this Advisory Bulletin is to establish a standard and uniform methodology for classifying regulated entity assets based on their credit quality, as well as to affirm the basis for writing off loans classified as Loss.&#160; Asset classification is a critical element in evaluating the risk profile of the regulated entities.&#160; Asset classification also provides a mechanism to validate the regulated entity's internal risk identification processes and establishes a common set of classification definitions to serve as the basis for asset quality metrics.&#160; In addition, this Advisory Bulletin describes procedures for listing assets for Special Mention, which can be an effective method to identify and rectify weaknesses in credit management practices before deterioration occurs.&#160; This guidance considers and is generally consistent with the <em>Uniform Retail Credit Classification and Account Management Policy&#160;&#160;</em>issued by the Federal Financial Institutions Examination Council (FFIEC) in June 2000, which established specific procedures for the adverse classification of residential mortgage loans and other retail loans.<br></p><p>This Advisory Bulletin is intended to be consistent with applicable statutes, regulations, and Generally Accepted Accounting Principles (GAAP).&#160; It does not relieve or diminish the responsibility of a regulated entity's board of directors or management to follow applicable laws, rules, and regulations and to conform to applicable accounting standards, <em>i.e.,</em>&#160;GAAP.&#160; Any conflicts should be resolved to comply with applicable laws and regulations, and to conform to applicable accounting standards.&#160;&#160;<br></p><p style="text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></p><p> <strong>I. Definitions</strong></p><p>The following definitions apply when considering the adverse classification of assets at the regulated entities.<br></p><p>An asset classified <strong> <em>Substandard </em></strong>is protected inadequately by the current net worth and paying capacity of the obligor, or by the collateral pledged, if any.&#160; Assets so classified must have a well-defined weakness or weaknesses that jeopardize the liquidation of the debt.&#160;&#160;They are characterized by the distinct possibility that the institution will sustain some loss if the deficiencies are not corrected.<br></p><p>An asset classified <strong> <em>Doubtful</em></strong> has all the weaknesses inherent in one classified <strong> <em>Substandard </em></strong>with the added characteristic that the weaknesses make collection or liquidation in full, on the basis of currently existing facts, conditions, and values, highly questionable and improbable.<br></p><p>An asset, or portion thereof, classified <strong> <em>Loss </em></strong>is considered uncollectible, and of such little value that its continuance on the books is not warranted.&#160; This classification does not mean that the asset has absolutely no recovery or salvage value; rather, it is not practical or desirable to defer writing off an essentially worthless asset (or portion thereof), even though partial recovery may occur in the future.<br></p><p></p><p> <strong>II. Adverse Classification of Assets</strong></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>A. Single-Family Residential Mortgage Loans</em></p></blockquote><p> <strong></strong></p><p> <span style="color&#58;#444444;">Single-family residential mortgage loans, including FHLBank Acquired Member Assets (AMA),</span><a href="#footnote2" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">[2]</a><span style="color&#58;#444444;">&#160;​consist of first mortgages secured by one-to-four family residential real estate.&#160;&#160;Given their size, general homogeneity, and the volume of residential mortgage loans at the Enterprises and the FHLBanks, it may be impractical to individually review specific loans to determine credit quality.&#160; Such loans should be classified using the following guidelines&#58;</span></p><ul><li> <span style="color&#58;#444444;">​Single-family residential real estate loans that are delinquent 90 days or more with loan-to-value ratios greater than 60 percent, should be classified Substandard.</span></li><li> <span style="color&#58;#444444;">A current assessment of value should be made before a single-family residential mortgage loan with a loan-to-value ratio greater than 60 percent is more than 180 days past due.&#160; Any outstanding loan balance in excess of the sum of (i) current fair value of the collateral, less costs to sell, and (ii) any expected proceeds from non-freestanding</span><a href="#footnote3" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">[3]</a><span style="color&#58;#444444;">&#160;​credit enhancements should be classified Loss not later than when the loan is 180 days delinquent.&#160; Properly secured residential real estate loans with loan-to-value ratios equal to or less than 60 percent are generally not classified based solely on delinquency status.</span></li><li> <span style="color&#58;#444444;">When a borrower is in bankruptcy, a portion of the loan should be classified as Loss and written down to the fair value of the collateral, less costs to sell, within 60 days of receipt of the notification of filing from the bankruptcy court or within the delinquency time frames specified in this policy, whichever is shorter, unless it can be clearly demonstrated and documented that repayment is likely to occur.&#160; Any loan balance remaining after write-off should be classified Substandard until the borrower demonstrates the ability and willingness to repay for a period of at least six consecutive months.</span></li><li> <span style="color&#58;#444444;">Fraudulent loans, if not covered by any existing representations and warranties in the loan purchase agreement, should be classified as Loss and written off within 90 days of discovery of the fraud, or within the delinquency time frames specified in this adverse classification policy, whichever is shorter.</span></li></ul><p>Regulated entities should write off the portion of the asset adversely classified as Loss except in certain limited circumstances.<a href="#footnote4">[4]</a>&#160; ​A write-off should result in the balance of the asset being reduced by the amount of the loss.&#160; The write-off associated with any Loss classification should be taken by the end of the month in which the applicable time period elapses.<br></p><p>If the regulated entity can clearly document that the delinquent loan is well-secured and in the process of collection, such that collection will occur regardless of delinquency status, then the loan need not be adversely classified.&#160; A well-secured loan is collateralized by a perfected security interest in real property with an estimated fair value, less costs to sell, sufficient to recover the loan balance.&#160; &quot;In the process of collection&quot; means that either a collection effort or legal action is proceeding and is reasonably expected to result in recovery of the loan balance or restoration of the loan to a current status, generally within the next 90 days.&#160; Other exceptions to this adverse classification policy might be for loans that are supported by valid insurance claims, such as federal loan guarantee programs.</p><p>In determining a single-family mortgage loan's delinquency status, the regulated entity should use one of two methods to recognize partial payments.&#160; A payment equivalent to 90 percent or more of the contractual payment may be considered a full payment in computing delinquency.&#160; Alternatively, the regulated entity may aggregate payments and give credit for any partial payment received.&#160; For example, if a regular payment is $300 and the borrower makes payments of only $150 per month for a six-month period, the loan would be $900, or three full months delinquent.&#160; A regulated entity may use either or both methods for loans in its portfolio but may not use both methods simultaneously with a single loan.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>B. Multifamily Residential Mortgage Loans</em><br></p></blockquote><p>Multifamily residential mortgage loans consist of first mortgages secured by multifamily (5 units or more) residential real estate.&#160; Multifamily real estate loans should not be adversely classified if they are current and are adequately protected by the underlying collateral value and debt service capacity of the property, or a guarantor with demonstrated ability and willingness to perform on the loan.&#160; The following applies to the adverse classification of multifamily residential mortgage loans.</p><p>To determine the appropriate adverse classification, examiners will evaluate the prospects that the loan will be repaid in the normal course of business considering all relevant information.&#160; This includes information on the borrower's creditworthiness and payment record, the nature and degree of protection provided by the cash flow and value of the underlying collateral, and any support provided by financially responsible guarantors.&#160; As a general principle, a performing multifamily real estate loan should not automatically be adversely classified or written off solely because the value of the underlying collateral has declined to an amount that is less than the loan balance.&#160; Similarly, loans to sound borrowers that are refinanced or renewed in accordance with prudent underwriting standards and have not been formally restructured due to troubled condition should not be adversely classified unless well-defined weaknesses exist that jeopardize repayment in the normal course of business.&#160; However, it would be appropriate to adversely classify a performing loan when well-defined weaknesses exist that jeopardize repayment – such as the lack of credible support from reliable sources – using the definitions of Substandard, Doubtful, and Loss set forth above.<br></p><p>Multifamily loans with well-defined weaknesses that subject the regulated entity to the possibility of loss, even if the loan is not seriously delinquent (90 days or more), should be classified Substandard.&#160; For a multifamily loan where there are no available and reliable sources of repayment other than the sale of the underlying real estate collateral, any portion of the loan balance that exceeds the sum of&#160;(i) current fair value of the collateral, less costs to sell, and (ii) any expected proceeds from non-freestanding credit enhancements, should be classified Loss and written off.&#160; The remaining portion of the loan balance that is adequately secured should generally be classified no worse than Substandard.&#160; The amount of the loan balance in excess of the value of the collateral, or portions thereof, should be classified Doubtful, and not Loss, only when the potential for loss may be mitigated by the outcome of certain near-term (generally, within 90 days) pending events.&#160; The Doubtful classification is seldom used and is reserved for situations like those described here.<br></p><p>Regulated entities should write off the portion of the asset adversely classified as Loss except in certain limited circumstances.<a href="#footnote5">[5]</a>&#160;&#160;A write-off should result in the balance of the asset being reduced by the amount of the loss.&#160; The write-off associated with any Loss classification should be taken by the end of the month in which the applicable time period elapses.<br></p><p>When analyzing a formally restructured multifamily loan, the examiner will focus on the borrower's ability to repay the loan in accordance with its modified terms.&#160; Adversely classifying a formally restructured loan would be appropriate, if, after the restructuring, well-defined weaknesses continue to exist that jeopardize the repayment of the loan in accordance with the modified terms.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>C. Other Real Estate Owned</em></p></blockquote><p>Other Real Estate Owned (REO) should be evaluated for possible adverse classification of Substandard, Doubtful or Loss.&#160; The regulated entity should make periodic (at least annual) reappraisals of the value of the REO.&#160;&#160;In cases when a reliable appraisal is not available, or the appraisal on file is outdated, there are other acceptable methods the regulated entity can use for determining and documenting the value of the REO.&#160; For purposes of classification, any portion of the balance of the REO in excess of fair value, less costs to sell, should be classified Loss.&#160; However, the portion of the held-for-sale REO classified as Loss should not be written off.&#160; Examiners will review all relevant factors in evaluating the regulated entity's adverse classification of the remaining book value of the REO.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-weight&#58;400;">D. Other Assets (including Off-Balance Sheet Credit Exposures)</em></p></blockquote><p>Although not specifically enumerated, the regulated entities may have other assets such as accrued interest receivables, property tax and insurance advance receivables, reverse repurchase (repo) receivables, and insurance benefit receivables that warrant adverse classification.&#160; Similarly, off-balance sheet credit exposures such as standby letters of credit and financial guarantees may also warrant adverse classification.&#160; Examiners will review all relevant factors in evaluating the regulated entity's adverse classification of the assets and off-balance sheet credit exposures.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>E. FHLBank Advances</em></p></blockquote><p>Advances made by the FHLBanks to their members and housing associates generally pose minimal credit risk.&#160; Advances must be fully secured by eligible collateral and, in the case of member advances, are further secured by the borrowing members'&#160;FHLBank capital stock.&#160; In addition, the Federal Home Loan Bank Act grants each FHLBank a priority lien over the liens of other similarly-situated creditors on assets securing member advances.<a href="#footnote6">[6]</a> &#160;However, there may be instances in which collateral adequacy may be uncertain and/or the priority lien may not be relied upon, such as in the case of advances to&#160; housing associates, or where another creditor has a superior lien under applicable law (for example, where the other creditor's lien is perfected, but the FHLBank's lien is not).&#160; In such cases, examiners will evaluate the facts and circumstances to determine whether it is appropriate to adversely classify the advance.</p><p> <strong>III. Non-Adverse Classification of Assets – Special Mention</strong><br></p><p>In some instances, it may be appropriate to list an asset for Special Mention.&#160; The following definition should be used for listing an asset for Special Mention&#58;<br></p><p>A <strong> <em>Special Mention </em></strong>asset has potential weaknesses that deserve management's close attention.&#160; If left uncorrected, these potential weaknesses may result in deterioration of the assets'&#160;repayment prospects or may cause deterioration in the regulated entity's credit position at some future date.&#160; <strong> <em>Special Mention</em></strong> assets are not adversely classified and do not expose a regulated entity to sufficient risk to warrant adverse classification.<br></p><p>Ordinarily, assets listed for Special Mention have deficiencies in the administration of those assets which corrective management action might remedy, for example, weak loan origination and/or weak servicing policies.&#160; While inadequate policies and practices could ultimately result in deterioration of the asset and adverse classification, an asset should not be adversely classified unless it also meets one or more of the adverse classification indicators.&#160; The Special Mention classification serves as an indicator of the quality of the asset portfolio and should be used to provide direction to management on corrective measures that might be taken to strengthen an asset to avoid potential deterioration in the asset's quality.<br></p><p>Mortgages held by the regulated entities that are in loss mitigation, or have been modified and are performing according to the terms of the modification, should be listed as Special Mention but not adversely classified.&#160; The loan no longer needs to be listed as Special Mention after performance according to the terms of the modification has occurred for a period of six consecutive months.&#160; If the loan becomes delinquent after modification, adverse classification could apply according to the previously described criteria.<br></p><p>The level of adversely classified assets or assets listed for Special Mention is an indicator of the regulated entity's asset quality and overall risk profile, and may indicate whether risk management practices regarding underwriting and loan administration are effective.&#160; At a minimum, management and boards of directors of the regulated entities should evaluate risk management and other asset-specific policies and procedures annually to ensure that appropriate risk controls have been implemented.<a href="#footnote7">[7]</a>&#160;&#160;If the level of adversely classified assets suggests deterioration in any asset category, more frequent evaluations of the related policies and procedures are appropriate.&#160; Risk management and other policies will be reviewed by FHFA as part of its supervision program.<br></p><p> <strong> <em>Related Guidance and Regulations</em></strong><br></p><p>FASB ASC 326-20, Financial Instruments - Credit Losses – Measured at Amortized Cost<br></p><p>Uniform Retail Credit Classification and Account Management Policy, FFIEC<br></p><div><p> <a name="footnote1">[1]</a>&#160;Investment securities refer to securities subject to the guidance of the Financial Accounting Standards Board (FASB)'s Accounting Standards Codification (ASC), Topic 320, Investments – Debt Securities, and Subtopic 325-40, Investments – Other - Beneficial Interests in Securitized Financial Assets.<br></p><p> <a name="footnote2">[2]</a>&#160;The AMA regulation (12 CFR part 1268) authorizes FHLBanks to acquire certain assets (principally, conforming residential mortgage loans) from their members and housing associates and prescribes the parameters within which each FHLBank may do so.&#160;<br></p><p> <a name="footnote3">[3]</a>&#160;Examples of non-freestanding credit enhancements include, but are not limited to, private mortgage insurance, the Federal Housing Administration's (FHA) insurance, the Department of Veteran Affairs'&#160;(VA) guarantee, and for the FHLBanks'&#160;Acquired Member Assets (AMA) program, the various types of permissible agreements to share credit losses in purchased loans with the selling members.</p><p> <a name="footnote4">[4]</a>&#160;1) As required to maintain compliance with GAAP.&#160; 2) For loans classified as Held For Sale (HFS) and loans which a regulated entity has elected to account for under the Fair Value Option (FVO), no portion classified as Loss would be written off.<br></p><p> <a name="footnote5">[5]</a>&#160;1) As required to maintain compliance with&#160; GAAP. 2) For loans classified as Held For Sale (HFS) and loans which a regulated entity has elected to account for under the Fair Value Option (FVO), no portion classified as Loss would be written off.<br></p><p> <a name="footnote6">[6]&#160;</a><em>See </em>12 U.S.C. §&#160;1430(e).&#160; Although this provision grants FHLBank liens priority over those of similarly-situated creditors, it does not grant FHLBank liens priority over those of creditors with liens entitled to priority under otherwise applicable law.<br></p><p> <a name="footnote7">[7]</a>&#160;<em>See </em>12 CFR part 1236, Appendix (Prudential Management and Operations Standards).​&#160;&#160;<br></p></div><div> <br> </div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.&#160; Advisory&#160;bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.&#160;&#160;Questions about this advisory bulletin should be directed to&#58;&#160; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table> <br>8/25/2021 2:00:32 PMHome / Supervision & Regulation / Advisory Bulletins / Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special 10334https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx

© 2024 Federal Housing Finance Agency